OpenWrt Forum Archive

Topic: Support for TP-Link Archer C2600

The content of this topic has been archived between 29 Mar 2018 and 6 May 2018. Unfortunately there are posts – most likely complete pages – missing.

I will first repeat your steps and see what I can find.

There's at least a model check + checksum in the bootloader before flashing of course.

The stock firmware header does not look like one of the existing standard tp-link firmware headers.

I tried extracting and repacking the squashfs root using  firmware-mod-kit in order to enable ssh.  Though I was able to repack the firmware, I don't think the checksum in the header was updated, and the bootloader would not flash it.

The uboot  code in the gpl tarball from tp-link's site seems like it could be what is actually running on the router, so it's probably possible to make sense of that to understand where the checksum is supposed to be in the header.

Funny enough the gpl tarball actually contains a fully working build system (for qualcomm+tp-link-modified openwrt 12.09, which is also what the stock firmware is running underneath), but the resulting images are only for Beeliner reference boards and don't seem flashable to the c2600 as-is.

(in the stock firmware ssh login is disabled simply by a configuration switch in the dropbear config file.  The only functionality which I can get working is tunnelling, but there don't seem to be any additional open ports behind the ssh tunnel as compared to the lan interface.  I've confirmed that the tp-link tether app for android is connecting to the ssh daemon, but of course the subsequent traffic is encrypted, so I can't see what it's doing.  It's possible that it's just interacting with the web server with some appropriate api through the tunnel.)

I also have been sifting the GPL code. Perhaps modifying this code is the safest and easiest starting point on which to build a working firmware.

Managed to get terminal access to the running stock firmware.
(By unpacking the squashfs root, modifying the dropbear configuration, repacking the squashfs root, padding/splicing back together and editing the md5sum in the header)

The format of the header btw is
firmware size (4bytes)
md5sum (16 bytes)
<data>

The md5sum is computed by concatenating <md5key> with <data>
where <md5key> is the 16 byte hex value:
7A 2B 15 ED  9B 98 59 6D  E5 04 AB 44  AC 2A 9F 4E
(obtained from the uboot code in the gpl tarball)

Let me know what output I should dump from the running firmware.
In case anyone else wants to flash it (working on my router, but no guarantees as always), the modified firmware is here (can be flashed through the web interface even)
https://www.dropbox.com/s/i0qpam73dx03t … d.bin?dl=0

(Last edited by bendavid on 1 Dec 2015, 11:52)

I flashed your firmware but I am unable to ssh into the router. I tried root/admin and my gui login details without success. Did you set a default password?

Mmm, can't remember now if I changed the web GUI password first.  In any case the webgui password does not work over SSH but rather root/admin or admin/admin

@bendavid

Great news! How about "dmesg", "lsmod", "cat /proc/mtd", "cat /proc/cpuinfo", "ip li", "ps" smile

BusyBox v1.19.4 (2015-08-28 18:30:21 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

     MM           NM                    MMMMMMM          M       M
   $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
  MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
  MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
    MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
     MMMM          M                    MMMMMMM        M       M
       M
 ---------------------------------------------------------------
   For those about to rock... (IPQ806X.LN, unknown)
 ---------------------------------------------------------------
admin@Archer C2600:/root$ dmesg
916151] +HWT
[   65.920806] CE_recv_buf_enqueue 809 Populate last entry 512 for CE 5
[   65.926148] CE_recv_buf_enqueue 818 CE 5 wi 511 dest_ptr 0x58703040 nbytes 0 recv_ctxt 0xd95d5b40
[   65.935395] Target:db29c800 HTC Service:0x0001, ULpipe:0 DLpipe:1 id:0 Ready
[   65.942018] -HWT
[   65.943861] 
[   65.943892] <=== cfg max peer id 1056 ====>
[   65.949609] Target:db29c800 HTC Service:0x0300, ULpipe:4 DLpipe:5 id:1 Ready
[   65.957232] HTC Service:0x0300 ep:1 TX flow control disabled
[   65.963823] CE_pkt_dl_len_set CE 4 Pkt download length 64
[   65.968447] ol_txrx_pdev_attach: 1424 tx desc's allocated ; range starts from d6e90000
[   65.976663] Target:db29c800 HTC Service:0x0100, ULpipe:3 DLpipe:2 id:2 Ready
[   65.983130] HTC Service:0x0100 ep:2 TX flow control disabled
[   65.989690] wmi_service_ready_event_rx:  WMI UNIFIED SERVICE READY event 
[   65.995532] num_rf_chain : 00000004
[   65.999000] ht_cap_info: : 0000085b
[   66.002467] vht_cap_info : 339b79b2
[   66.005966] vht_supp_mcs : 0000ffea
[   66.009403] ol_ath_service_ready_event: tt_support: 1
[   66.014464] Peer Caching Enabled ; num_peers = 528, num_active_peers = 66 num_tids = 132, num_vdevs = 16
[   66.023930] idx 0 req 1  num_units 0 num_unit_info 2 unit size 1296 actual units 529 
[   66.032114] idx 1 req 2  num_units 1 num_unit_info 4 unit size 256 actual units 67 
[   66.039393] idx 2 req 3  num_units 1 num_unit_info 4 unit size 1024 actual units 67 
[   66.047141] idx 3 req 4  num_units 1 num_unit_info 4 unit size 4096 actual units 67 
[   66.054982] idx 4 req 6  num_units 35 num_unit_info 0 unit size 3072 actual units 35 
[   66.062667] idx 5 req 7  num_units 1 num_unit_info 0 unit size 6144 actual units 1 
[   66.070290] idx 6 req 5  num_units 0 num_unit_info 2 unit size 1628 actual units 529 
[   66.078475] chunk 0 len 685584 requested ,ptr  0x57d00000 
[   66.083536] chunk 1 len 17152 requested ,ptr  0x57c08000 
[   66.088940] chunk 2 len 68608 requested ,ptr  0x57c40000 
[   66.094314] chunk 3 len 274432 requested ,ptr  0x57c80000 
[   66.099781] chunk 4 len 107520 requested ,ptr  0x57c60000 
[   66.105248] chunk 5 len 6144 requested ,ptr  0x589e8000 
[   66.110527] chunk 6 len 861212 requested ,ptr  0x57e00000 
[   66.168915] wmi_ready_event_rx:  WMI UNIFIED READY event 
[   66.173320] ol_ath_connect_htc() WMI is ready
[   66.177663] ol_ath_set_host_app_area TODO
[   66.181661] target uses HTT version 2.1; host uses 2.1
[   66.190846] ol_ath_attach() connect HTC. 
[   66.193876] ol_regdmn_start: reg-domain param: regdmn=0, countryName=, wModeSelect=FFFFFFFF, netBand=FFFFFFFF, extendedChanMode=0.
[   66.205592] ol_regdmn_init_channels: !avail mode 0x680c (0x2) flags 0x2150
[   66.212402] ol_regdmn_init_channels: !avail mode 0x680c (0x1) flags 0x140
[   66.219212] ol_regdmn_init_channels: !avail mode 0x680c (0x20) flags 0xd0
[   66.225960] ol_regdmn_init_channels: !avail mode 0x680c (0x40) flags 0x150
[   66.232802] ol_regdmn_init_channels: !avail mode 0x680c (0x1000) flags 0x10100
[   66.240049] ol_regdmn_init_channels: !avail mode 0x680c (0x8000) flags 0x20100
[   66.247235] ol_regdmn_init_channels: !avail mode 0x680c (0x10000) flags 0x40100
[   66.254545] ol_regdmn_init_channels: !avail mode 0x680c (0x20000) flags 0x100100
[   66.261980] ol_regdmn_init_channels: !avail mode 0x680c (0x40000) flags 0x200100
[   66.269290] ol_regdmn_init_channels: !avail mode 0x680c (0x80000) flags 0x400100
[   66.276663] ol_regdmn_init_channels: !avail mode 0x680c (0x100000) flags 0x800100
[   66.284223] ol_ath_phyerr_attach: called
[   66.288066] OL Resmgr Init-ed
[   66.291002] ieee80211_bsteering_attach: Band steering initialized
[   66.298500] ol_if_spectral_setup
[   66.300718] SPECTRAL : get_capability not registered
[   66.305685] HAL_CAP_PHYDIAG : Capable
[   66.309309] SPECTRAL : Need to fix the capablity check for RADAR (spectral_attach : 231)
[   66.317400] SPECTRAL : get_capability not registered
[   66.322305] HAL_CAP_RADAR   : Capable
[   66.325991] SPECTRAL : Need to fix the capablity check for SPECTRAL
[   66.325991]  (spectral_attach : 236)
[   66.335801] SPECTRAL : get_capability not registered
[   66.340737] HAL_CAP_SPECTRAL_SCAN : Capable
[   66.344923] SPECTRAL : get_tsf64 not registered
[   66.349390] spectral_init_netlink 65 NULL SKB
[   66.353764] Green-AP : Green-AP : Attached
[   66.353764] 
[   66.359356] Green-AP : Attached
[   66.362417] rate power table override is only supported for AR98XX
[   66.368697] ieee80211com_init_netlink: Socket already created d9630c00
[   66.375132] ol_if_dfs_setup: called 
[   66.378662] ol_if_dfs_attach: called; ptr=d74d5984, radar_info=da979bc8
[   66.385504] ol_ath_rtt_meas_report_attach: called
[   66.390096] ol_ath_attach() UMAC attach . 
[   66.394064] ol_if_dfs_configure: called
[   66.397844] ol_if_dfs_configure: FCC domain
[   66.401999] ol_if_dfs_disable: called
[   66.405716] ol_ath_attach: Calling ol_if_dfs_configure
[   66.410777] 
[   66.410777]  BURSTING enabled by default
[   66.416307] osif_wrap_attach:400 osif wrap attached
[   66.421024] osif_wrap_devt_init:361 osif wrap dev table init done
[   66.427116]  Wrap Attached: Wrap_com =db243800 ic->ic_wrap_com=db243800 &wrap_com->wc_devt=db243800 
[   66.436238] __ol_ath_attach: init tx/rx TODO
[   66.440456] __ol_ath_attach: needed_headroom reservation 44
[   66.446516] ol_ath_thermal_mitigation_attach: ++
[   66.450671] ol_ath_thermal_mitigation_attach: --
[   66.548484] Initializing Pktlogs for 11ac
[   66.551483] Initializing Pktlogs for 11ac
[   66.607122] __sa_init_module 
[   66.914495] [wifi1] FWLOG: [67475] WAL_DBGID_TX_AC_BUFFER_SET ( 0x3, 0x1e, 0x518, 0x518, 0x0 )
[   66.922086] [wifi1] FWLOG: [67475] WAL_DBGID_TX_AC_BUFFER_SET ( 0x12, 0x1e, 0x518, 0x518, 0x0 )
[   66.930740] [wifi1] FWLOG: [67475] WAL_DBGID_TX_AC_BUFFER_SET ( 0x45, 0x1e, 0x518, 0x518, 0x0 )
[   66.939425] [wifi1] FWLOG: [67475] WAL_DBGID_TX_AC_BUFFER_SET ( 0x67, 0x1e, 0x518, 0x518, 0x0 )
[   67.112246] [ol_ath_iw_setcountry][1641] *p=55, *(p+1)=53
[   67.116682] isCountryCodeValid: EEPROM regdomain 0x0
[   67.121587] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2) flags 0x2150
[   67.128803] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4) flags 0xa0
[   67.135613] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x8) flags 0xc0
[   67.142330] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x20) flags 0xd0
[   67.149359] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x40) flags 0x150
[   67.156357] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x800) flags 0x10080
[   67.163605] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2000) flags 0x20080
[   67.171009] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4000) flags 0x40080
[   67.178412] Add VHT80 channel: 5210
[   67.181818] Add VHT80 channel: 5290
[   67.185317] Add VHT80 channel: 5530
[   67.188753] Add VHT80 channel: 5610
[   67.192221] Add VHT80 channel: 5690
[   67.195720] Add VHT80 channel: 5775
[   67.199187] Skipping VHT80 channel 5825
[   67.226679] set TXBF_SND_PERIOD: value 100 wmi_status 0
[   67.287785] ath_ioctl: SIOC80211IFCREATE CALLED
[   67.291346] wmi_unified_vdev_create_send: ID = 0 Type = 1, Subtype = 0 VAP Addr = f4:f2:6d:37:b8:b4:
[   67.302343] __ieee80211_smart_ant_init: Smart Antenna is not supported 
[   67.308028] Enabling SG bit for the vap ath0 features 4000 
[   67.313495] Enabling TSO bit for the vap ath0 features 4000 
[   67.319181] Enabling LRO bit for the vap ath0 features 4000 
[   67.324835] VAP device ath0 created osifp: (db29bc80) os_if: (d6adc000)
[   67.360137] WARNING: Fragmentation with HT mode NOT ALLOWED!!
[   67.392721] ME Pool succesfully initialized vaddr - d6400000 paddr - 0
[   67.392721] num_elems = 10424 buf_size - 64 pool_size = 708832
[   67.404154] Enable MCAST_TO_UCAST
[   67.437050] su bfee 1 mu bfee 0 su bfer 1 mu bfer 1 impl bf 0 sounding dim 3
[   67.452264]  
[   67.452264]  DES SSID SET= 
[   67.458356]  
[   67.458356]  DES SSID SET=TP-LINK_B8B5_5G 
[   68.023648]  ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1 
[   68.103905]  DEVICE IS DOWN ifname=ath0
[   68.106747]  DEVICE IS DOWN ifname=ath0
[   68.295501] [ol_ath_iw_setcountry][1641] *p=55, *(p+1)=53
[   68.299968] isCountryCodeValid: EEPROM regdomain 0x0
[   68.305029] ol_regdmn_init_channels: !avail mode 0x680c (0x2) flags 0x2150
[   68.311683] ol_regdmn_init_channels: !avail mode 0x680c (0x1) flags 0x140
[   68.318494] ol_regdmn_init_channels: !avail mode 0x680c (0x20) flags 0xd0
[   68.325335] [wifi0] FWLOG: [69596] WAL_DBGID_SECURITY_ENCR_EN (  )
[   68.331365] [wifi0] FWLOG: [69596] WAL_DBGID_SECURITY_MCAST_KEY_SET ( ol_regdmn_init_channels: !avail mode 0x680c (0x40) flags 0x150
[   68.343298] ol_regdmn_init_channels: !avail mode 0x680c (0x1000) flags 0x10100
[   68.350515] 0x1ol_regdmn_init_channels: !avail mode 0x680c (0x8000) flags 0x20100
[   68.350702] ol_regdmn_init_channels: !avail mode 0x680c (0x10000) flags 0x40100
[   68.350734] ol_regdmn_init_channels: !avail mode 0x680c (0x20000) flags 0x100100
[   68.350734] ol_regdmn_init_channels: !avail mode 0x680c (0x40000) flags 0x200100
[   68.350734] ol_regdmn_init_channels: !avail mode 0x680c (0x80000) flags 0x400100
[   68.350734] ol_regdmn_init_channels: !avail mode 0x680c (0x100000) flags 0x800100
[   68.374226] set TXBF_SND_PERIOD: value 100 wmi_status 0
[   68.392002] ath_ioctl: SIOC80211IFCREATE CALLED
[   68.392033] wmi_unified_vdev_create_send: ID = 0 Type = 1, Subtype = 0 VAP Addr = f4:f2:6d:37:b8:b5:
[   68.392314] __ieee80211_smart_ant_init: Smart Antenna is not supported 
[   68.392346] Enabling SG bit for the vap ath1 features 4000 
[   68.392346] Enabling TSO bit for the vap ath1 features 4000 
[   68.392346] Enabling LRO bit for the vap ath1 features 4000 
[   68.392346] VAP device ath1 created osifp: (de13d480) os_if: (d8414000)
[   68.429459] WARNING: Fragmentation with HT mode NOT ALLOWED!!
[   68.449953]  )
[   68.459075] ME Pool succesfully initialized vaddr - d6600000 paddr - 0
[   68.459106] num_elems = 10424 buf_size - 64 pool_size = 708832
[   68.471009] Enable MCAST_TO_UCAST
[   68.510434] su bfee 1 mu bfee 0 su bfer 1 mu bfer 1 impl bf 0 sounding dim 3
[   68.525960]  
[   68.525960]  DES SSID SET= 
[   68.532052]  
[   68.532052]  DES SSID SET=TP-LINK_B8B5 
[   68.673695]  ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1 
[   68.723867]  DEVICE IS DOWN ifname=ath1
[   68.726710]  DEVICE IS DOWN ifname=ath1
[   68.873352] device ath0 entered promiscuous mode
[   68.883099] OL vap_stop +
[   68.884786] wmi_unified_vdev_stop_send for vap 0 (d9500000)
[   68.890253] OL vap_stop -
[   68.890284] STOPPED EVENT for vap 0 (d9500000)
[   68.919462] [wifi1] FWLOG: [70212] WAL_DBGID_SECURITY_ENCR_EN (  )
[   68.924617] [wifi1] 
[   68.925148] br-lan: port 2(ath0) entered forwarding state
[   68.925179] br-lan: port 2(ath0) entered forwarding state
[   68.925554] 8021q: adding VLAN 0 to HW filter on device ath0
[   68.930740] device ath1 entered promiscuous mode
[   68.937519] OL vap_stop +
[   68.937550] wmi_unified_vdev_stop_send for vap 0 (daf40000)
[   68.937550] OL vap_stop -
[   68.959200] STOPPED EVENT for vap 0 (daf40000)
[   68.963042] FWLOG: [70212] WAL_DBGID_SECURITY_MCAST_KEY_SET ( 
[   68.965010] br-lan: port 3(ath1) entered forwarding state
[   68.965010] br-lan: port 3(ath1) entered forwarding state
[   68.965042] 8021q: adding VLAN 0 to HW filter on device ath1
[   68.985629] 0x1 )
[   69.325117] [wifi0] FWLOG: [70313] WAL channel change freq=5180, mode=0 flags=0 rx_ok=1 tx_ok=1
[   69.332771] [wifi0] FWLOG: [70626] WAL channel change freq=5200, mode=0 flags=0 rx_ok=1 tx_ok=1
[   69.922055] [wifi1] FWLOG: [70336] WAL channel change freq=2412, mode=1 flags=0 rx_ok=1 tx_ok=1
[   69.929771] [wifi1] FWLOG: [70649] WAL channel change freq=2417, mode=1 flags=0 rx_ok=1 tx_ok=1
[   69.938425] [wifi1] FWLOG: [70962] WAL channel change freq=2422, mode=1 flags=0 rx_ok=1 tx_ok=1
[   69.947141] [wifi1] FWLOG: [71276] WAL channel change freq=2427, mode=1 flags=0 rx_ok=1 tx_ok=1
[   70.327272] [wifi0] FWLOG: [70939] WAL channel change freq=5220, mode=0 flags=0 rx_ok=1 tx_ok=1
[   70.335238] [wifi0] FWLOG: [71252] WAL channel change freq=5240, mode=0 flags=0 rx_ok=1 tx_ok=1
[   70.343580] [wifi0] FWLOG: [71566] WAL channel change freq=5745, mode=0 flags=0 rx_ok=1 tx_ok=1
[   70.924648] [wifi1] FWLOG: [71588] WAL channel change freq=2432, mode=1 flags=0 rx_ok=1 tx_ok=1
[   70.932364] [wifi1] FWLOG: [71901] WAL channel change freq=2437, mode=1 flags=0 rx_ok=1 tx_ok=1
[   70.940987] [wifi1] FWLOG: [72214] WAL channel change freq=2442, mode=1 flags=0 rx_ok=1 tx_ok=1
[   71.329397] [wifi0] FWLOG: [71879] WAL channel change freq=5765, mode=0 flags=0 rx_ok=1 tx_ok=1
[   71.337082] [wifi0] FWLOG: [72192] WAL channel change freq=5785, mode=0 flags=0 rx_ok=1 tx_ok=1
[   71.345766] [wifi0] FWLOG: [72506] WAL channel change freq=5805, mode=0 flags=0 rx_ok=1 tx_ok=1
[   71.684005] OL vap_start +
[   71.685660] wmi_unified_vdev_start_send for vap 0 (d9500000) 
[   71.691408] OL vap_start -
[   71.927210] [wifi1] FWLOG: [72527] WAL channel change freq=2447, mode=1 flags=0 rx_ok=1 tx_ok=1
[   71.934895] [wifi1] FWLOG: [72840] WAL channel change freq=2452, mode=1 flags=0 rx_ok=1 tx_ok=1
[   71.943548] [wifi1] FWLOG: [73153] WAL channel change freq=2457, mode=1 flags=0 rx_ok=1 tx_ok=1
[   72.032552] ol_vdev_start_resp_ev for vap 0 (d9500000)
[   72.036644] ol_ath_vap_join: join operation is only for STA/IBSS mode
[   72.043080] ol_ath_wmm_update:
[   72.046173] su bfee 1 mu bfee 0 su bfer 1 mu bfer 1 impl bf 0 sounding dim 3
[   72.053139] wmi_unified_vdev_up_send for vap 0 (d9500000)
[   72.058512] __ieee80211_smart_ant_init: Smart Antenna is not supported 
[   72.065104] Notification to UMAC VAP layer
[   72.331583] [wifi0] FWLOG: [72819] WAL channel change freq=5825, mode=0 flags=0 rx_ok=1 tx_ok=1
[   72.336332] mlme_create_infra_bss : Overriding HT40 channel with HT20 channel
[   72.336363] OL vap_start +
[   72.336363] wmi_unified_vdev_start_send for vap 0 (daf40000) 
[   72.336363] OL vap_start -
[   72.357888] [wifi0] FWLOG: [73174] vap-0 VDEV_MGR_VDEV_START ( 0x1671, 0x2, 0x0, 0x0 )
[   72.365354] [wifi0] FWLOG: [73174] WAL channel change freq=5745, mode=10 flags=0 rx_ok=1 tx_ok=1
[   72.374133] [wifi0] FWLOG: [73515] VDEV_MGR_HP_START_TIME ( 0x0, 0x1671, 0x10cc000 )
[   72.381849] [wifi0] FWLOG: [73515] RESMGR_OCS_GEN_PERIODIC_NOA ( 0x1 )
[   72.388659] [wifi0] FWLOG: [73515] RESMGR_OCS_GEN_PERIODIC_NOA ( 0x0 )
[   72.395157] [wifi0] FWLOG: [73515] VDEV_MGR_AP_TBTT_CONFIG ( 0x0, 0x1671, 0x0, 0x0 )
[   72.747766] ol_vdev_start_resp_ev for vap 0 (daf40000)
[   72.751890] ol_ath_vap_join: join operation is only for STA/IBSS mode
[   72.758294] ol_ath_wmm_update:
[   72.761418] su bfee 1 mu bfee 0 su bfer 1 mu bfer 1 impl bf 0 sounding dim 3
[   72.768384] wmi_unified_vdev_up_send for vap 0 (daf40000)
[   72.773758] __ieee80211_smart_ant_init: Smart Antenna is not supported 
[   72.780349] Notification to UMAC VAP layer
[   72.929803] [wifi1] FWLOG: [73467] WAL channel change freq=2462, mode=1 flags=0 rx_ok=1 tx_ok=1
[   72.937800] [wifi1] FWLOG: [73821] vap-0 VDEV_MGR_VDEV_START ( 0x96c, 0x2, 0x0, 0x0 )
[   72.945267] [wifi1] FWLOG: [73821] WAL channel change freq=2412, mode=5 flags=0 rx_ok=1 tx_ok=1
[   72.954451] [wifi1] FWLOG: [74227] VDEV_MGR_HP_START_TIME ( 0x0, 0x96c, 0x659001 )
[   72.961512] [wifi1] FWLOG: [74227] RESMGR_OCS_GEN_PERIODIC_NOA ( 0x1 )
[   72.968041] [wifi1] FWLOG: [74227] RESMGR_OCS_GEN_PERIODIC_NOA ( 0x0 )
[   72.974570] [wifi1] FWLOG: [74227] VDEV_MGR_AP_TBTT_CONFIG ( 0x0, 0x96c, 0x0, 0x0 )
admin@Archer C2600:/root$ lsmod
Module                  Size  Used by    Tainted: P  
smart_antenna          29311  0 
ath_pktlog             14069  0 
button_hotplug          2767  0 
NetUSB                154423  0 
GPL_NetUSB              4298  1 NetUSB
umac                 1705557  2 smart_antenna,ath_pktlog
ath_dev               315473  2 ath_pktlog,umac
hst_tx99                8202  2 umac,ath_dev
ath_spectral           28329  2 umac,ath_dev
ath_dfs                51422  1 umac
ath_rate_atheros       37155  3 ath_pktlog,umac,ath_dev
ath_hal               588790  5 ath_pktlog,umac,ath_dev,hst_tx99,ath_rate_atheros
adf                    12046  4 umac,ath_dev,hst_tx99,ath_hal
asf                     6101  6 ath_pktlog,umac,ath_dev,ath_spectral,ath_dfs,ath_hal
domain_dns              2677  0 
domain_libs             1293  1 domain_dns
fuse                   53853  0 
usb_storage            35138  0 
leds_gpio               1686  0 
gpio_keys               5417  0 
ecm                  1749958  0 
qca_nss_tunipip6        1292  0 
qca_nss_tun6rd          4552  0 
dwc3_ipq               14814  0 
ledtrig_usbdev          2276  0 
xt_mark2prio             663  0 
nf_conntrack_netlink    15102  0 
ip6t_REJECT             2929  2 
ip6t_rt                 4201  0 
ip6t_hbh                2771  0 
ip6t_mh                 1129  0 
ip6t_ipv6header         1045  0 
ip6t_frag               2925  0 
ip6t_eui64               723  0 
ip6t_ah                 2281  0 
ip6table_raw             661  1 
ip6_queue               3961  0 
ip6table_mangle          903  1 
ip6table_filter          695  1 
ip6_tables              9392  7 ip6t_rt,ip6t_hbh,ip6t_frag,ip6t_ah,ip6table_raw,ip6table_mangle,ip6table_filter
nf_conntrack_ipv6       6020  3 
nf_defrag_ipv6          7047  1 nf_conntrack_ipv6
nfnetlink               2149  1 nf_conntrack_netlink
ipt_TRIGGER             1894  0 
nf_nat_rtsp             3891  0 
nf_conntrack_rtsp       5817  1 nf_nat_rtsp
xt_httphost             1303  0 
xt_app                   691  0 
nf_nat_tftp              494  0 
nf_conntrack_tftp       2822  1 nf_nat_tftp
nf_nat_snmp_basic       6835  0 
nf_conntrack_snmp        701  1 nf_nat_snmp_basic
nf_nat_sip              5000  0 
nf_conntrack_sip       15585  1 nf_nat_sip
nf_nat_pptp             2775  0 
nf_conntrack_pptp       6200  1 nf_nat_pptp
nf_nat_h323             6086  0 
nf_conntrack_h323      38668  1 nf_nat_h323
nf_nat_proto_gre        1440  1 nf_nat_pptp
nf_conntrack_proto_gre     4086  1 nf_conntrack_pptp
nf_nat_amanda            666  0 
nf_conntrack_amanda     1541  1 nf_nat_amanda
nf_conntrack_broadcast      794  1 nf_conntrack_snmp
nf_nat_irc              1099  0 
nf_conntrack_irc        2984  1 nf_nat_irc
nf_nat_ftp              1369  0 
nf_conntrack_ftp        6986  1 nf_nat_ftp
xt_iprange              2037  0 
xt_HL                   1317  0 
xt_hl                    879  0 
xt_ecn                  1333  0 
ipt_ECN                 1301  0 
xt_CLASSIFY              601  0 
xt_time                 1459  0 
xt_tcpmss                955  0 
xt_statistic             862  0 
xt_mark                  705  0 
xt_length                758  0 
xt_DSCP                 1483  0 
xt_dscp                 1127  0 
xt_quota                 810  0 
xt_pkttype               624  0 
xt_physdev              1357  2 
xt_owner                 742  0 
compat_xtables          1709  0 
ipt_REDIRECT            1115  0 
ipt_NETMAP              1087  0 
ipt_MASQUERADE          1564  1 
iptable_nat             3262  1 
nf_nat                 12487 15 ipt_TRIGGER,nf_nat_rtsp,nf_conntrack_rtsp,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_h323,nf_nat_proto_gre,nf_nat_amanda,nf_nat_irc,nf_nat_ftp,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat
xt_recent               5643  0 
xt_helper                897  0 
xt_connmark             1249  0 
xt_connbytes            1338  0 
pptp                   13644  0 
l2tp_ppp               13125  0 
pppoe                   8946  1 ecm
xt_conntrack            2393  6 
xt_CT                   2457  0 
xt_NOTRACK               620  0 
iptable_raw              711  1 
xt_state                 786  0 
nf_conntrack_ipv4       6459  6 iptable_nat,nf_nat
nf_defrag_ipv4           817  1 nf_conntrack_ipv4
nf_conntrack           52552 36 ecm,nf_conntrack_netlink,nf_conntrack_ipv6,ipt_TRIGGER,nf_nat_rtsp,nf_conntrack_rtsp,nf_nat_tftp,nf_conntrack_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_nat_h323,nf_conntrack_h323,nf_conntrack_proto_gre,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_broadcast,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,xt_DSCP,ipt_MASQUERADE,iptable_nat,nf_nat,xt_helper,xt_connmark,xt_connbytes,xt_conntrack,xt_CT,xt_NOTRACK,xt_state,nf_conntrack_ipv4
ehci_hcd               57476  0 
xhci_hcd               94431  0 
dwc3                   38987  1 dwc3_ipq
udc_core                5309  1 dwc3
sd_mod                 23172  0 
pppox                   1220  3 pptp,l2tp_ppp,pppoe
ipt_REJECT              1639  2 
xt_TCPMSS               2461  0 
xt_comment               512  0 
xt_multiport            1929  1 
xt_mac                   656  0 
xt_limit                1066  2 
iptable_mangle           869  1 
iptable_filter           745  1 
ip_tables               9980  4 iptable_nat,iptable_raw,iptable_mangle,iptable_filter
xt_tcpudp               2397  6 
x_tables               10703 57 xt_mark2prio,ip6t_REJECT,ip6t_rt,ip6t_hbh,ip6t_mh,ip6t_ipv6header,ip6t_frag,ip6t_eui64,ip6t_ah,ip6table_raw,ip6table_mangle,ip6table_filter,ip6_tables,ipt_TRIGGER,xt_httphost,xt_app,xt_iprange,xt_HL,xt_hl,xt_ecn,ipt_ECN,xt_CLASSIFY,xt_time,xt_tcpmss,xt_statistic,xt_mark,xt_length,xt_DSCP,xt_dscp,xt_quota,xt_pkttype,xt_physdev,xt_owner,compat_xtables,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat,xt_recent,xt_helper,xt_connmark,xt_connbytes,xt_conntrack,xt_CT,xt_NOTRACK,iptable_raw,xt_state,ipt_REJECT,xt_TCPMSS,xt_comment,xt_multiport,xt_mac,xt_limit,iptable_mangle,iptable_filter,ip_tables,xt_tcpudp
msdos                   5497  0 
bonding                90382  1 ecm
ip_gre                 12390  0 
gre                     1167  2 pptp,ip_gre
qca_nss_macsec         54729  0 
qca_nss_qdisc          29173  0 
sit                     9420  1 qca_nss_tun6rd
qca_nss_drv           166460  5 umac,ecm,qca_nss_tunipip6,qca_nss_tun6rd,qca_nss_qdisc
l2tp_netlink            6197  1 l2tp_ppp
l2tp_core              12041  2 l2tp_ppp,l2tp_netlink
ip6_tunnel             10637  1 qca_nss_tunipip6
qca_nss_gmac           52395  2 qca_nss_macsec,qca_nss_drv
ppp_mppe                5042  0 
tunnel6                 1516  1 ip6_tunnel
tunnel4                 1669  1 sit
snd_pcm_oss            30599  0 
snd_mixer_oss          11435  1 snd_pcm_oss
snd_pcm                55264  1 snd_pcm_oss
snd_timer              14143  1 snd_pcm
snd_rawmidi            14179  0 
snd_seq_device          3979  1 snd_rawmidi
snd_hwdep               4493  0 
snd_page_alloc          4329  1 snd_pcm
snd                    35701  7 snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_rawmidi,snd_seq_device,snd_hwdep
soundcore               3758  1 snd
ppp_async               5878  0 
ppp_generic            22013  8 ecm,pptp,l2tp_ppp,pppoe,pppox,qca_nss_drv,ppp_mppe,ppp_async
slhc                    3983  1 ppp_generic
vfat                    7771  0 
fat                    40384  2 msdos,vfat
ntfs                   78887  0 
hfsplus                68488  0 
hfs                    37512  0 
raid1                  23989  0 
raid0                   8047  0 
linear                  2980  0 
md_mod                 88535  3 raid1,raid0,linear
statistics            159834  1 ecm
nls_iso8859_1           2931  0 
nls_cp437               4463  0 
usbcore               134250  6 GPL_NetUSB,usb_storage,ledtrig_usbdev,ehci_hcd,xhci_hcd
usb_common               515  2 udc_core,usbcore
ts_fsm                  2623  0 
ts_bm                   1479  0 
ts_kmp                  1235  5 
crc_ccitt                984  1 ppp_async
ipv6                  237002 34 ecm,ip6t_REJECT,ip6_queue,ip6table_mangle,nf_conntrack_ipv6,nf_defrag_ipv6,ip_gre,sit,ip6_tunnel,tunnel6
qca_ssdk              748718  0 
sha1_generic            1453  0 
ecb                     1446  0 
arc4                     893  0 
liblog                  1114  1 xt_app
thfsplus               73052  0 
tntfs                 363023  0 
texfat                160682  0 
tfat                  157602  0 
admin@Archer C2600:/root$ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "ART"
mtd1: 01b00000 00010000 "rootfs"
admin@Archer C2600:/root$ cat /proc/cpuinfo 
Processor       : ARMv7 Processor rev 0 (v7l)
processor       : 0
BogoMIPS        : 12.55

processor       : 1
BogoMIPS        : 12.55

Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 
CPU implementer : 0x51
CPU architecture: 7
CPU variant     : 0x2
CPU part        : 0x04d
CPU revision    : 0

Hardware        : Qualcomm Atheros AP148 reference board
Revision        : 0000
Serial          : 0000000000000000
admin@Archer C2600:/root$ ip li
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT qlen 1000
    link/ether f4:f2:6d:37:b8:b6 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-lan state UP mode DEFAULT qlen 1000
    link/ether f4:f2:6d:37:b8:b5 brd ff:ff:ff:ff:ff:ff
4: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN mode DEFAULT 
    link/tunnel6 :: brd ::
5: qca-nss-dev0: <> mtu 0 qdisc noop state DOWN mode DEFAULT 
    link/generic 
6: qca-nss-dev1: <> mtu 0 qdisc noop state DOWN mode DEFAULT 
    link/generic 
7: qca-nss-dev2: <> mtu 0 qdisc noop state DOWN mode DEFAULT 
    link/generic 
8: qca-nss-dev3: <> mtu 0 qdisc noop state DOWN mode DEFAULT 
    link/generic 
9: sit0: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT 
    link/sit 0.0.0.0 brd 0.0.0.0
10: gre0: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT 
    link/gre 0.0.0.0 brd 0.0.0.0
11: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN mode DEFAULT 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT 
    link/ether f4:f2:6d:37:b8:b5 brd ff:ff:ff:ff:ff:ff
13: wifi0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 539
    link/ieee802.11 f4:f2:6d:37:b8:b4 brd ff:ff:ff:ff:ff:ff
14: wifi1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 539
    link/ieee802.11 f4:f2:6d:37:b8:b5 brd ff:ff:ff:ff:ff:ff
15: ath0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-lan state UNKNOWN mode DEFAULT qlen 1000
    link/ether f4:f2:6d:37:b8:b4 brd ff:ff:ff:ff:ff:ff
16: ath1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-lan state UNKNOWN mode DEFAULT qlen 1000
    link/ether f4:f2:6d:37:b8:b5 brd ff:ff:ff:ff:ff:ff
admin@Archer C2600:/root$ ps
  PID USER       VSZ STAT COMMAND
    1 root      1420 S    init
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    4 root         0 SW   [kworker/0:0]
    5 root         0 SW   [kworker/u:0]
    6 root         0 SW   [migration/0]
    7 root         0 SW   [migration/1]
    8 root         0 SW   [kworker/1:0]
    9 root         0 SW   [ksoftirqd/1]
   10 root         0 SW<  [khelper]
   11 root         0 SW   [kworker/u:1]
   31 root         0 SW   [kworker/0:1]
  110 root         0 SW   [irq/202-msmdata]
  252 root         0 SW   [sync_supers]
  254 root         0 SW   [bdi-default]
  255 root         0 SW<  [crypto]
  257 root         0 SW<  [kblockd]
  262 root         0 SW<  [ata_sff]
  266 root         0 SW<  [spi_qsd.5]
  269 root         0 SW   [msm-spi-thread]
  368 root         0 SW<  [modem_notifier]
  370 root         0 SW<  [smd_channel_clo]
  371 root         0 SW<  [smsm_cb_wq]
  396 root         0 SW<  [qmi]
  425 root         0 SW<  [nmea]
  427 root         0 SW<  [rpcrouter]
  443 root         0 SW   [kswapd0]
  486 root         0 SW   [fsnotify_mark]
  509 root         0 SW<  [smux_notify_wq]
  510 root         0 SW<  [smux_tx_wq]
  511 root         0 SW<  [smux_rx_wq]
  512 root         0 SW<  [smux_loopback_w]
  518 root         0 SW<  [k_hsuart]
  530 root         0 SW   [scsi_eh_0]
  533 root         0 SW   [kworker/u:2]
  546 root         0 SW   [mtdblock0]
  551 root         0 SW   [mtdblock1]
  615 root         0 SW<  [iewq]
  616 root         0 DW   [kinteractiveup]
  619 root         0 SW<  [msm-cpufreq]
  620 root         0 SW   [kworker/1:1]
  623 root         0 SW<  [rq_stats]
  629 root         0 SW<  [deferwq]
 1082 root      1448 S    {rcS} /bin/sh /etc/init.d/rcS S boot
 1083 root      1420 S    init
 1085 root      1412 S    logger -s -p 6 -t sysinit
 1119 root         0 SW   [khubd]
 1124 root         0 SW<  [md]
 1156 root         0 SW<  [gmac_workqueue]
 1161 root         0 SW<  [nss_freq_queue]
 1191 root         0 SW<  [bond0]
 1399 root      1180 S    /usr/sbin/logd -C 128
 1402 root      1408 S    /sbin/klogd
 1429 root      1228 S    /sbin/hotplug2 --override --persistent --set-rules-file /etc/hotplug2.rules --set-coldplug-cmd /sbin/udevtrigger --max-children 1
 1430 root       860 S    /sbin/hotplug2 --override --persistent --set-rules-file /etc/hotplug2-usb.rules --set-coldplug-cmd /sbin/udevtrigger --max-children 1
 1439 root       900 S    /sbin/ubusd
 1455 root      3176 S    /usr/bin/ledctrl
 1839 root      1372 S    /sbin/netifd
 2082 root         0 SW   [kworker/0:2]
 2131 root      1416 S    udhcpc -p /var/run/udhcpc-eth0.pid -s /lib/netifd/dhcp.script -O 33 -O 121 -O 249 -f -R -a -t 0 -i eth0 -H Archer_C2600 -V MSFT 5.0 -C -B
 2400 root      1408 S    /usr/bin/client_mgmt
 2691 root      1332 S    /usr/sbin/imbd
 2820 nobody    1020 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf
 2981 root     10108 S    /usr/sbin/minidlnad -f /tmp/minidlna.conf -P /var/run/minidlnad.pid
 3255 root      3092 S    /usr/sbin/smbd -D
 3257 root      3100 S    /usr/sbin/nmbd -D
 3300 root      1528 S    {dnsproxy_deamon} /bin/sh /usr/lib/dnsproxy/dnsproxy_deamon.sh
 3473 root      1420 S    /usr/sbin/crond -c /etc/crontabs -l 5
 3479 root      1456 S    {S50factory_sett} /bin/sh /etc/rc.common /etc/rc.d/S50factory_settings_reset boot
 3480 root      1056 S    /usr/bin/factory_settings_reset
 3531 guest     2284 S    proftpd: (accepting connections)
 3547 daemon    1984 S    slpd -r /var/slp.reg -c /var/slp.conf
 3551 root      1004 S    /usr/sbin/sysmond
 3553 root      1456 S    {S50tmpServer} /bin/sh /etc/rc.common /etc/rc.d/S50tmpServer boot
 3557 root      1016 S    /usr/sbin/tsched
 3560 root      5532 S    /usr/bin/tmpServer
 3594 root      1100 S    /usr/sbin/uhttpd -f -h /www -r Archer C2600 -x /cgi-bin -t 60 -T 30 -A 1 -n 3 -p 0.0.0.0:80
 3625 root      1460 S    /usr/sbin/dbus-daemon --system
 3690 root      1492 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 22 -L -C
 3742 nobody    1844 S    avahi-daemon: running [ArcherC2600.local]
 3784 root         0 SW   [ telnetDBGD ]
 3785 root         0 SW   [ acktelnetDBGD ]
 3796 root         0 SW   [NU UDP]
 3797 root         0 SW   [NU TCP]
 4355 root      1324 S    /usr/sbin/tfstats
 4359 root      3376 S    /usr/sbin/dosd
 4363 root      1392 S    tddp
 4392 root      1404 S    /sbin/watchdog -t 5 /dev/watchdog
 4396 root      1416 S    /usr/sbin/ntpd -n -p time.nist.gov -p time-nw.nist.gov -p time-a.nist.gov -p time-b.nist.gov
 4497 root       888 S    /usr/bin/switch_led
 4513 root      5100 S <  /usr/sbin/thermald -c /etc/thermal/ipq-thermald-8064.conf
 5064 root      1432 S    hostapd -P /var/run/wifi-ath0.pid -B /var/run/hostapd-ath0.conf -e /var/run/entropy-ath0.bin
 5066 root      1056 S    hostapd_cli -i ath0 -P /var/run/hostapd_cli-ath0.pid -a /lib/wifi/tplink-update-uci -p /var/run/hostapd-wifi0 -B
 5154 root      1428 S    hostapd -P /var/run/wifi-ath1.pid -B /var/run/hostapd-ath1.conf -e /var/run/entropy-ath1.bin
 5156 root      1056 S    hostapd_cli -i ath1 -P /var/run/hostapd_cli-ath1.pid -a /lib/wifi/tplink-update-uci -p /var/run/hostapd-wifi1 -B
 5701 root      2312 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 22 -L -C
 5738 admin     1424 S    -ash
 5940 root      1408 S    sleep 30
 5953 admin     1412 R    ps
admin@Archer C2600:/root$ 

Is the stock firmware based on OpenWrt? I wonder if it's possible to sysupgrade or flash the AP148 image somehow from there.

Hardware        : Qualcomm Atheros AP148 reference board

Yes, the Qualcomm SDK on which the stock firmware is based is apparently a modified openwrt 12.09.

Major changes I'm aware of in the qualcomm SDK with respect to openwrt 12.09 are
1) Proprietary wireless driver
2) Kernel patches + additional modules to support the tcp-ip offload in the IPQ806x (this is also related to the qca-nss devices)

Then tp-link has heavily customized the web interface and a few other things on top.

Probably this includes modifications to sysupgrade to check headers/product info/etc, assuming this is what they are calling from the firmware upgrade in their own web interface.  Will take a closer a look.

I managed to get ssh access using @bendavid firmware, but I needed to perform a factory reset after installing it. Can't install anything via opkg though.

One thing I realized (while playing with sysupgrade) is that apparently with this configuration one always ends up logged in as "admin" user rather than root.

Will see about enabling proper root login.

(btw sysupgrade with AP148 factory images complains about failed product check as expected, but with the -F option looks like it would have proceeded aside from the fact that I was not root)

Updated firmware with further fixed dropbear configuration so that root login works.  Have also edited /etc/shadow to set a default password of "admin" for the root account.

https://www.dropbox.com/s/9jplakzrr906n … d.bin?dl=0

(very likely the tp-link tether app will not work with this firmware, since it changes the behaviour of the ssh daemon and how logins are mapped to local accounts, essential restoring the default/sane behaviour whereas there was some custom option set before which was doing something different)

(Last edited by bendavid on 2 Dec 2015, 22:57)

Would it be good to split this into a separate thread for the C2600 to keep it dedicated to that model?

Thanks for the investigation work. I was hoping the router would get openWRT support (and hence why I went for a pure ATH chipset solution).

Also, with regards to the custom wireless driver, is really just a backported version of the ath10k driver? that is the one needed for this newer chip, but wouldn't have been around in 12.09 time frame.

I think qualcomm anyways maintains a separate closed source driver in parallel to whatever they are contributing upstream.  Some of the code may even be in common between the two.

I believe that ath10k will now or soon support the QCA9980 wireless chips in this router (but let's see what happens once we get a running snapshot)

Up to the forum mods if they want to change the thread name or whatnot.  Will continue the discussion here unless told otherwise.

FWIW, a brute force attempt to flash the AP148 factory images is not successful:

root@Archer C2600:/tmp# sysupgrade -n -F openwrt-ipq806x-AP148-squashfs-nand-factory.ubi
openwrt-ipq806x-AP148-squashfs-nand-factory.ubi is not a valid FIT image
Image check 'platform_check_image' failed but --force given - will update anyway!
Sending TERM to remaining processes ... rcS logger logd klogd hotplug2 hotplug2 ubusd ledctrl sleep netifd client_mgmt imbd dnsmasq minidlnad smbd nmbd dnsproxy_deamon crond S50factory_sett factory_setting proftpd slpd sysmond S50tmpServer tmpServer tsched uhttpd dbus-daemon avahi-daemon tfstats dosd ntpd switch_led thermald 
Sending KILL to remaining processes ... lock client_mgmt imbd uhttpd 
Switching to ramdisk...
Performing system upgrade...
dumpimage: Bad Magic Number: "openwrt-ipq806x-AP148-squashfs-nand-factory.ubi" is no valid image
dumpimage: Bad Magic Number: "openwrt-ipq806x-AP148-squashfs-nand-factory.ubi" is no valid image
ash: can't create /sys/devices/platform/msm_nand/boot_layout: nonexistent directory
Upgrade completed
Rebooting system...

I successfully installed @bendavid's ssh_root firmware, but the /etc/opkg.conf relies on packages that no longer (if ever?) exist. Cannot install anything without it. Specifically

http://downloads.openwrt.org/attitude_a … c/packages

I can't find any ipq806x packages in 12.09

Further update.  The image format is very similar to the tp-link CPE510, and it looks like it can be easily supported with minimal modifications to tplink-safeloader
(I'm able to build flashable images from scratch already, though nothing which actually boots yet.)

Will submit patches for tplink-safeloader soon (but may need some help to get usage of it properly integrated into target/linux/ipq806x/image/Makefile)

Then unless the current issue is trivial it may indeed be quite difficult to debug issues booting the kernel/rootfs from the AP148 build without a serial console...

bendavid wrote:

Further update.  The image format is very similar to the tp-link CPE510, and it looks like it can be easily supported with minimal modifications to tplink-safeloader
(I'm able to build flashable images from scratch already, though nothing which actually boots yet.)

Will submit patches for tplink-safeloader soon (but may need some help to get usage of it properly integrated into target/linux/ipq806x/image/Makefile)

Then unless the current issue is trivial it may indeed be quite difficult to debug issues booting the kernel/rootfs from the AP148 build without a serial console...

It's probably more likely that there needs to be a custom target for the router, rather than a reference board one (just like the R7500).

\Archer C2600_GPL_V1\Archer_C2600_v1_GPL\openwrt\qca\src\u-boot\tools\default_image.c has the code to verify the headers.

The gave the whole uboot code, so it should contain everything needed to generate a bootable image.

Edit: just looked up the magic number -- it's the same for the openwrt code as it is in the C2600 tarball. So, it seems like the image file isn't valid.

Edit 2: Or more correctly, the changes TP Link made are on top of the AP148 reference board code (based on the provided SSH logs), which they seemed to have modified for the router. Hence why the default ap148 image is crashing.

Edit 3: Apparently the Archer C9 uses the same firmware format, but the C7v2 and C3200 don't. I'm surprised the C3200 doesn't as it's a newer product as well.

(Last edited by TeutonJon78 on 4 Dec 2015, 09:49)

Any suggestions how to check in particular for possible needed modifications to the device tree as compared to the ap148 would be welcome.

I was looking for a tarball for the AP148, but didn't find one. I'm also building the GPL image to see what that actually spit out at the end.

Regarding the image generation code, DD-WRT working C9 firmware, so the code for that generation could be forked from there. They generate an initial flash file to use coming from factory (which has the same header format stock and we use) and then a normal dd-wrt flash file for upgrading.

You'd think that since the firmware is already based on openWRT, that TP-Link would:
1) be using a newer version than AA (seriously?)
2) release the code in a way that makes building a clean openWRT easier. They generally seem to support alternate firmwares, but they sure don't make it easy.

(Last edited by TeutonJon78 on 4 Dec 2015, 19:08)

I have the image generation working already with small modifications (adding partition table and strings for c2600) to tplink-safeloader in the openwrt firmware tools.

Just need to get it integrated into the Makefile to make it automatic during the build.

The bigger problem is that when so flashing the kernel+rootfs from the AP148 legacy sysupgrade tarball (https://downloads.openwrt.org/snapshots … pgrade.tar)
the router doesn't boot.  (or at least neither LED's or network are working)

Of course the proper way to proceed would be to set up a working serial console to debug, but have not done that yet.

Sorry, posts 51 to 50 are missing from our archive.