TP-Link EAP245 v1 is an AC1750 (802.11ac Wave-1) ceiling mount access point.
Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9880): a/n/ac, 3x3
* Ethernet (AR8033): 1× 1GbE, 803.2at PoE
Flashing instructions:
* Extract /usr/bin/uclited from the device via ssh and apply the binary
patch listed below. The patch is required to prevent `uclited -u` in
the last step from crashing.
* Exploit the user management page in the web interface to start telnetd
by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
(e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Copy the patched uclited programme back to the device at /tmp/uclited
(via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to flash OpenWrt.
--- xxd uclited
+++ xxd uclited-patched
@@ -53796,7 +53796,7 @@
000d2240: 8c44 0000 0320 f809 0000 0000 8fbc 0010 .D... ..........
000d2250: 8fa6 0a4c 02c0 2821 8f82 87b8 0000 0000 ...L..(!........
-000d2260: 8c44 0000 0c13 45e0 27a7 0018 8fbc 0010 .D....E.'.......
+000d2260: 8c44 0000 2402 0000 0000 0000 8fbc 0010 .D..$...........
000d2270: 1040 001d 0000 1821 8f99 8374 3c04 0058 .@.....!...t<..X
000d2280: 3c05 0056 2484 a898 24a5 9a30 0320 f809 <..V$...$..0. ..
Debricking:
* Serial port can be soldered on PCB J3 (1: TXD, 2: RXD, 3: GND, 4: VCC)
* Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
Do NOT bridge R230.
* Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader with by holding CTRL+B during boot
* tftp initramfs to flash via Luci web-interface
Tested on the EAP245v1 running the latest firmware (v1.4.0). The binary
patch might not apply to uclited from other firmware versions.
Signed-off-by: Sander Vanheule <san...@svanheule.net>
---
.../ath79/dts/qca9563_tplink_eap245-v1.dts | 26 +++++++++++++++++
.../generic/base-files/etc/board.d/02_network | 1 +
.../etc/hotplug.d/firmware/11-ath10k-caldata | 3 +-
target/linux/ath79/image/generic-tp-link.mk | 9 ++++++
tools/firmware-utils/src/tplink-safeloader.c | 28 +++++++++++++++++++
5 files changed, 66 insertions(+), 1 deletion(-)
create mode 100644 target/linux/ath79/dts/qca9563_tplink_eap245-v1.dts
diff --git a/target/linux/ath79/dts/qca9563_tplink_eap245-v1.dts
b/target/linux/ath79/dts/qca9563_tplink_eap245-v1.dts
new file mode 100644
index 0000000000..8a11d2e469
--- /dev/null
+++ b/target/linux/ath79/dts/qca9563_tplink_eap245-v1.dts
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
+/dts-v1/;
+
+#include <dt-bindings/gpio/gpio.h>
+
+#include "qca9563_tplink_eap2x5_1port.dtsi"
+
+/ {
+ compatible = "tplink,eap245-v1", "qca,qca9563";
+ model = "TP-Link EAP245 v1";
+};
+
+&led_status_green {
+ status = "okay";
+ gpios = <&gpio 7 GPIO_ACTIVE_HIGH>;
+};
+
+&led_status_amber {
+ status = "okay";
+ gpios = <&gpio 9 GPIO_ACTIVE_HIGH>;
+};
+
+&led_status_red {
+ status = "okay";
+ gpios = <&gpio 1 GPIO_ACTIVE_HIGH>;
+};
diff --git a/target/linux/ath79/generic/base-files/etc/board.d/02_network
b/target/linux/ath79/generic/base-files/etc/board.d/02_network
index 7524806d72..d19f885e27 100755
--- a/target/linux/ath79/generic/base-files/etc/board.d/02_network
+++ b/target/linux/ath79/generic/base-files/etc/board.d/02_network
@@ -38,6 +38,7 @@ ath79_setup_interfaces()
pisen,wmb001n|\
pisen,wmm003n|\
siemens,ws-ap3610|\
+ tplink,eap245-v1|\
tplink,cpe210-v2|\
tplink,cpe210-v3|\
tplink,cpe510-v2|\
diff --git
a/target/linux/ath79/generic/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
b/target/linux/ath79/generic/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
index 2926796d65..d722f2dcaf 100644
---
a/target/linux/ath79/generic/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
+++
b/target/linux/ath79/generic/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
@@ -63,7 +63,8 @@ case "$FIRMWARE" in
caldata_extract "art" 0x5000 0x844
ath10k_patch_mac $(macaddr_add $(mtd_get_mac_ascii u-boot-env
ethaddr) +1)
;;
- engenius,ews511ap)
+ engenius,ews511ap|\
+ tplink,eap245-v1)
caldata_extract "art" 0x5000 0x844
ath10k_patch_mac $(macaddr_add $(cat
/sys/class/net/eth0/address) +1)
;;
diff --git a/target/linux/ath79/image/generic-tp-link.mk
b/target/linux/ath79/image/generic-tp-link.mk
index d2cc8d09bd..a4a14ed889 100644
--- a/target/linux/ath79/image/generic-tp-link.mk
+++ b/target/linux/ath79/image/generic-tp-link.mk
@@ -372,6 +372,15 @@ define Device/tplink_eap2x5_1port
IMAGE/factory.bin := append-rootfs | tplink-safeloader factory | pad-extra
128
endef
+define Device/tplink_eap245-v1
+ $(Device/tplink_eap2x5_1port)
+ DEVICE_MODEL := EAP245
+ DEVICE_VARIANT := v1
+ TPLINK_BOARD_ID := EAP245-V1
+ DEVICE_PACKAGES := kmod-ath10k-ct ath10k-firmware-qca988x-ct
+endef
+TARGET_DEVICES += tplink_eap245-v1
+
define Device/tplink_eap245-v3
$(Device/tplink-safeloader)
SOC := qca9563
diff --git a/tools/firmware-utils/src/tplink-safeloader.c
b/tools/firmware-utils/src/tplink-safeloader.c
index e9e6f01ebd..a20304150b 100644
--- a/tools/firmware-utils/src/tplink-safeloader.c
+++ b/tools/firmware-utils/src/tplink-safeloader.c
@@ -1291,6 +1291,34 @@ static struct device_info boards[] = {
.last_sysupgrade_partition = "file-system"
},
+ /** Firmware layout for the EAP245 v1 */
+ {
+ .id = "EAP245-V1",
+ .support_list =
+ "SupportList:\r\n"
+ "EAP245(TP-LINK|UN|AC1750-D):1.0\r\n",
+ .support_trail = '\xff',
+ .soft_ver = NULL,
+
+ .partitions = {
+ {"fs-uboot", 0x00000, 0x20000},
+ {"partition-table", 0x20000, 0x02000},
+ {"default-mac", 0x30000, 0x01000},
+ {"support-list", 0x31000, 0x00100},
+ {"product-info", 0x31100, 0x00400},
+ {"soft-version", 0x32000, 0x00100},
+ {"firmware", 0x40000, 0xc00000},
+ {"user-config", 0xdc0000, 0x10000},
+ {"backup-config", 0xdd0000, 0x10000},
+ {"log", 0xde0000, 0x10000},
+ {"radio", 0xff0000, 0x10000},
+ {NULL, 0, 0}
+ },
+
+ .first_sysupgrade_partition = "os-image",
+ .last_sysupgrade_partition = "file-system"
+ },
+
/** Firmware layout for the EAP245 v3 */
{
.id = "EAP245-V3",
--
2.26.2
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
