diff options
| author | Sander Vanheule <sander@svanheule.net> | 2021-11-22 20:59:06 +0100 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2021-12-05 18:49:14 +0100 |
| commit | 0f6b6aab2bc9d34b5d516ddf38fb14e8c5d029db (patch) | |
| tree | f47d7dd67b3cdbbae8088a3d670b5b1bdf456b80 /tools/zlib | |
| parent | afeda4a3d37cf3f9a2001a67e24d0cdbbdbc4cde (diff) | |
| download | upstream-0f6b6aab2bc9d34b5d516ddf38fb14e8c5d029db.tar.gz upstream-0f6b6aab2bc9d34b5d516ddf38fb14e8c5d029db.tar.bz2 upstream-0f6b6aab2bc9d34b5d516ddf38fb14e8c5d029db.zip | |
ath79: add support for TP-Link EAP225 v1
TP-Link EAP225 v1 is an AC1200 (802.11ac Wave-1) ceiling mount access point.
Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 2x2
* Wireless 5Ghz (QCA9882): a/n/ac, 2x2
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE
Flashing instructions:
* Ensure the device is upgraded to firmware v1.4.0
* Exploit the user management page in the web interface to start telnetd
by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
(e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Extract /usr/bin/uclited from the device via ssh and apply the binary
patch listed below. The patch is required to prevent `uclited -u` in
the last step from crashing.
* Copy the patched uclited binary back to the device at /tmp/uclited
(via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.
uclited patching:
--- xxd uclited
+++ xxd uclited-patched
@@ -53811,7 +53811,7 @@
000d2330: 8c44 0000 0320 f809 0000 0000 8fbc 0010 .D... ..........
000d2340: 8fa6 0a4c 02c0 2821 8f82 87c4 0000 0000 ...L..(!........
-000d2350: 8c44 0000 0c13 461c 27a7 0018 8fbc 0010 .D....F.'.......
+000d2350: 8c44 0000 2402 0000 0000 0000 8fbc 0010 .D..$...........
000d2360: 1040 001d 0000 1821 8f99 8378 3c04 0058 .@.....!...x<..X
000d2370: 3c05 0056 2484 ad68 24a5 9f00 0320 f809 <..V$..h$.... ..
To make sure the correct file is patched, the following MD5 checksums
should match the unpatched and patched files:
4bd74183c23859c897ed77e8566b84de uclited
4107104024a2e0aeaf6395ed30adccae uclited-patched
Debricking:
* Serial port can be soldered on unpopulated 4-pin header
(1: TXD, 2: RXD, 3: GND, 4: VCC)
* Bridge unpopulated resistors running from pins 1 (TXD) and 2 (RXD).
Do NOT bridge the pull-down for pin 2, running parallel to the
header.
* Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via the LuCI web interface
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
Tested by forum user KernelMaker.
Link: https://forum.openwrt.org/t/eap225-v1-firmware/87116
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Diffstat (limited to 'tools/zlib')
0 files changed, 0 insertions, 0 deletions