[PATCH v2 2/2] ath79: add support for TP-Link EAP225 v1

Sander Vanheule sander at svanheule.net
Mon Nov 22 11:57:39 PST 2021


On Sat, 2021-11-20 at 14:06 +0100, Sander Vanheule wrote:
> TP-Link EAP225 v1 is an AC1200 (802.11ac Wave-1) ceiling mount access point.
> 
> Device specifications:
> * SoC: QCA9563 @ 775MHz
> * RAM: 128MiB DDR2
> * Flash: 16MiB SPI-NOR
> * Wireless 2.4GHz (SoC): b/g/n, 2x2
> * Wireless 5Ghz (QCA9882): a/n/ac, 2x2
> * Ethernet (AR8033): 1× 1GbE, 802.3at PoE
> 
> Flashing instructions:
> * Ensure the device is upgraded to firmware v1.4.0
> * Exploit the user management page in the web interface to start telnetd
>   by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
> * Immediately change the malformed username back to something valid
>   (e.g. 'admin') to make ssh work again.
> * Use the root shell via telnet to make /tmp world writeable (chmod 777)
> * Extract /usr/bin/uclited from the device via ssh and apply the binary
>   patch listed below. The patch is required to prevent `uclited -u` in
>   the last step from crashing.
> * Copy the patched uclited binary back to the device at /tmp/uclited
>   (via ssh)
> * Upload the factory image to /tmp/upgrade.bin (via ssh)
> * Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.
> 
> uclited patching:
>     --- xxd uclited
>     +++ xxd uclited-patched
>     @@ -53811,7 +53811,7 @@
>      000d2330: 8c44 0000 0320 f809 0000 0000 8fbc 0010  .D... ..........
>      000d2340: 8fa6 0a4c 02c0 2821 8f82 87c4 0000 0000  ...L..(!........
>     -000d2350: 8c44 0000 0c13 461c 27a7 0018 8fbc 0010  .D....F.'.......
>     +000d2350: 8c44 0000 2402 0000 0000 0000 8fbc 0010  .D..$...........
>      000d2360: 1040 001d 0000 1821 8f99 8378 3c04 0058  . at .....!...x<..X
>      000d2370: 3c05 0056 2484 ad68 24a5 9f00 0320 f809  <..V$..h$.... ..
> 
> To make sure the correct file is patched, the following MD5 checksums
> should match the unpatched and patched files:
>     4bd74183c23859c897ed77e8566b84de  uclited
>     4107104024a2e0aeaf6395ed30adccae  uclited-patched
> 
> Debricking:
> * Serial port can be soldered on unpopulated 4-pin header
>   (1: TXD, 2: RXD, 3: GND, 4: VCC)
>     * Bridge unpopulated resistors running from pins 1 (TXD) and 2 (RXD).
>       Do NOT bridge the pull-down for pin 2, running parallel to the
>       header.
>     * Use 3.3V, 115200 baud, 8n1
> * Interrupt bootloader by holding CTRL+B during boot
> * tftp initramfs to flash via the LuCI web interface
>     setenv ipaddr 192.168.1.1 # default, change as required
>     setenv serverip 192.168.1.10 # default, change as required
>     tftp 0x80800000 initramfs.bin
>     bootelf $fileaddr
> 
> Tested by forum user KernelMaker.
> 
> Link: https://forum.openwrt.org/t/eap225-v1-firmware/87116
> Signed-off-by: Sander Vanheule <sander at svanheule.net>
> ---

Patch 1/2 was merged in firmware-utils (thanks Rafał!), so I just sent a v3
patch to avoid confusion with the patch numbering.

In the new patch I've also updated the led node names (to led-{0,1,2}), and
added the function and color properties. I have been requesting this on other
patches, so I might as well do it in my own patches.

Best,
Sander



More information about the openwrt-devel mailing list