Created
December 9, 2022 17:30
-
-
Save Python1320/b67449388a178fa1f1718c74ecb075ad to your computer and use it in GitHub Desktop.
Aruba Networks AP-115 (APIN0115) reversing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| APBoot 1.4.0.5 (build 38142) | |
| Built: 2013-04-21 at 22:03:44 | |
| Model: AP-11x | |
| CPU: QCA9550 revision: 1.0 | |
| Clock: 720 MHz, DDR rate: 600 MHz, Bus clock: 200 MHz | |
| DRAM: 256 MB | |
| POST1: passed | |
| Copy: done | |
| Flash: 32 MB | |
| Power: DC | |
| PCI: scanning bus 0 ... | |
| dev fn venID devID class rev MBAR0 MBAR1 MBAR2 MBAR3 | |
| 00 00 168c 0033 00002 01 00000004 00000000 00000000 00000000 | |
| Net: eth0 | |
| Radio: ar9590#0, qca9550#1 | |
| **** Configuration Reset Requested by User **** | |
| Clearing state... Checking OS image and flags | |
| Image is signed; verifying checksum... passed | |
| Clearing image partition 0 | |
| Erasing flash sector @ 0xbf100000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbff80000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbff90000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbffb0000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbffc0000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbffd0000....done | |
| Erased 1 sectors | |
| done | |
| Purging environment... Un-Protected 1 sectors | |
| .done | |
| Erased 1 sectors | |
| Writing | |
| done | |
| Hit <Enter> to stop autoboot: 0 | |
| apboot> help | |
| ? - alias for 'help' | |
| boot - boot the OS image | |
| clear - clear the OS image or other information | |
| dhcp - invoke DHCP client to obtain IP/boot params | |
| factory_reset - reset to factory defaults | |
| help - print online help | |
| mfginfo - show manufacturing info | |
| osinfo - show the OS image version(s) | |
| ping - send ICMP ECHO_REQUEST to network host | |
| printenv - print environment variables | |
| purgeenv - restore default environment variables | |
| reset - Perform RESET of the CPU | |
| saveenv - save environment variables to persistent storage | |
| setenv - set environment variables | |
| tftpboot - boot image via network using TFTP protocol | |
| upgrade - upgrade the APBoot or OS image | |
| version - display version | |
| apboot> reset | |
| APBoot 1.4.0.5 (build 38142) | |
| Built: 2013-04-21 at 22:03:44 | |
| Model: AP-11x | |
| CPU: QCA9550 revision: 1.0 | |
| Clock: 720 MHz, DDR rate: 600 MHz, Bus clock: 200 MHz | |
| DRAM: 256 MB | |
| POST1: passed | |
| Copy: done | |
| Flash: 32 MB | |
| Power: DC | |
| PCI: scanning bus 0 ... | |
| dev fn venID devID class rev MBAR0 MBAR1 MBAR2 MBAR3 | |
| 00 00 168c 0033 00002 01 00000004 00000000 00000000 00000000 | |
| Net: eth0 | |
| Radio: ar9590#0, qca9550#1 | |
| Hit <Enter> to stop autoboot: 0 | |
| Checking image @ 0xbf100000 (bank 1) | |
| Invalid image format version: 0xffffffff | |
| Switching to flash bank: 2 | |
| Checking image @ 0xbf100000 (bank 2) | |
| Image is signed; verifying checksum... passed | |
| Signer Cert OK | |
| Policy Cert OK | |
| RSA signature verified. | |
| ELF file is 32 bit | |
| Loading .text @ 0x80e00000 (4672968 bytes) | |
| Loading .data @ 0x81274dd0 (32 bytes) | |
| Clearing .bss @ 0x81274df0 (16 bytes) | |
| ## Starting application at 0x80e00000 ... | |
| Uncompressing............................................ | |
| Aruba Networks | |
| ArubaOS Version 6.3.1.0 (build 38874 / label #38874) | |
| Built by p4build@cyprus on 2013-07-03 at 19:14:29 PDT (gcc version 4.3.3) | |
| CPU Rev: 1130 | |
| 955x CPU | |
| flash_size passed from bootloader = 32 | |
| arg 1: mem=256M | |
| Flash variant: default | |
| cpu apb ddr apb ath_955x_sys_frequency: cpu 720 ddr 600 ahb 200 | |
| Cache parity protection disabled | |
| ath_timer_init: plat time init done | |
| Using 360.000 MHz high precision timer. cycles_per_jiffy=720000 | |
| Memory: 251520k/262144k available (1927k kernel code, 10420k reserved, 844k data, 3796k init, 0k highmem) | |
| available. | |
| detected lzma initramfs | |
| initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=17933312 | |
| LZMA initramfs by Ming-Ching Tiew <[email protected]> .................................................................................................................................................................................................................................................................................. | |
| qca955x_pcibios_init: bus 0 | |
| qca955x_pcibios_init(1239): PCI 0 CMD write: 0x356 | |
| qca955x_pcibios_init: bus 1 | |
| qca955x_pcibios_map_irq: IRQ 75 for bus 0 | |
| ATH GPIOC major 0 | |
| wdt: registered with refresh | |
| Enabling Watchdog | |
| Talisker RSSI LED initialization | |
| Concatenating MTD devices: | |
| (0): "bank1" | |
| (1): "bank2" | |
| into device "flash" | |
| Creating 1 MTD partitions on "flash": | |
| 0x00000000-0x02000000 : "flash" | |
| i2c /dev entries driver | |
| i2c-talisker: using default base 0x18040000 | |
| lo: Disabled Privacy Extensions | |
| IPv6 over IPv4 tunneling driver | |
| Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT | |
| Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT | |
| Starting Kernel DES KAT ...Completed Kernel DES KAT | |
| Starting Kernel AES KAT ...Completed Kernel AES KAT | |
| Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT | |
| Domain Name: arubanetworks.com | |
| No panic info available | |
| apfcutil: sector CACHE: Cache uninitialized | |
| apfcutil: sector RAP: Cache uninitialized | |
| apfcutil -c RAP: Uninitialized. Initializing......... | |
| apfcutil: sector MESH Prov: Cache uninitialized | |
| qca955x_GMAC: Length per segment 1536 | |
| 955x_GMAC: qca955x_gmac_attach | |
| 955x_GMAC: qca955x_set_gmac_caps | |
| Currently in polling mode unit0 | |
| mac:0 Registering S17.... | |
| qca955x_GMAC: RX TASKLET - Pkts per Intr:100 | |
| qca955x_GMAC: Mac address for unit 0:8079bbc0 | |
| qca955x_GMAC: 24:de:c6:ca:b0:b0 | |
| qca955x_GMAC: Max segments per packet : 1 | |
| qca955x_GMAC: Max tx descriptor count : 128 | |
| qca955x_GMAC: Max rx descriptor count : 128 | |
| qca955x_GMAC: Mac capability flags : 2201 | |
| _athrs17_mac0_intf done | |
| athrs17_reg_init:done | |
| Phy setup Complete | |
| drvlog_mod: module license 'Proprietary' taints kernel. | |
| AP xml model 72, num_radios 2 (jiffies 4435) | |
| init_asap_mod: installation:0 | |
| radio 0: band 1 ant 0 max_ssid 16 | |
| radio 1: band 0 ant 0 max_ssid 16 | |
| Starting watchdog process... | |
| Getting an IP address... | |
| To set s17 LOOKUP_CTRL_REG registers, flag 0 | |
| athr_gmac_ring_alloc Allocated 2048 at 0x806cb000 | |
| athr_gmac_ring_alloc Allocated 2048 at 0x8ee70800 | |
| 955x_GMAC: eth0 in RGMII MODE | |
| Scorpion -----> S17 PHY | |
| FINAL XMII VAL after RX Calibration - 0x84000101 | |
| Error: cannot be initialized twice! | |
| athrs17_reg_init:done | |
| Setting PHY... | |
| Phy setup Complete | |
| To set s17 LOOKUP_CTRL_REG registers, flag 1 | |
| ADDRCONF(NETDEV_UP): bond0: link is not ready | |
| help | |
| ~ # ls | |
| ls: Permission denied | |
| ~ # help | |
| help: Permission denied | |
| ~ # commands | |
| commands: Permission denied | |
| ~ # ~ # | |
| ~ # | |
| ~ # bash | |
| bash: Permission denied | |
| ~ # / | |
| / /bin/ /dev/ /lib/ /proc/ /sys/ /usr/ | |
| /aruba/ /debug/ /etc/ /mnt/ /sbin/ /tmp/ /var/ | |
| ~ # / | |
| / /bin/ /dev/ /lib/ /proc/ /sys/ /usr/ | |
| /aruba/ /debug/ /etc/ /mnt/ /sbin/ /tmp/ /var/ | |
| ~ # /bin/ | |
| /bin/ash /bin/dmesg /bin/kill /bin/ping6 /bin/sync | |
| /bin/brctl /bin/echo /bin/ln /bin/ps /bin/tar | |
| /bin/busybox /bin/egrep /bin/ls /bin/pwd /bin/touch | |
| /bin/cat /bin/false /bin/mkdir /bin/rm /bin/true | |
| /bin/chgrp /bin/fgrep /bin/mknod /bin/rmdir /bin/umount | |
| /bin/chmod /bin/grep /bin/mktemp /bin/sc.awk /bin/uname | |
| /bin/chown /bin/gunzip /bin/more /bin/sed /bin/vi | |
| /bin/cp /bin/gzip /bin/mount /bin/sh /bin/zcat | |
| /bin/date /bin/hostname /bin/mv /bin/sleep | |
| /bin/dd /bin/ip /bin/netstat /bin/ss.awk | |
| /bin/df /bin/ipcalc /bin/ping /bin/stty | |
| ~ # /bin/mv | |
| /bin/mv: Permission denied | |
| ~ # chmod | |
| chmod: Permission denied | |
| ~ # busybox | |
| busybox: Permission denied | |
| ~ # /aruba/ | |
| /aruba/bin/ /aruba/conf/ /aruba/lib/ | |
| ~ # /aruba/conf/ | |
| /aruba/conf/mini_httpd.pem /aruba/conf/stm.cfg | |
| ~ # /aruba/conf/ | |
| /aruba/conf/mini_httpd.pem /aruba/conf/stm.cfg | |
| ~ # /aruba/conf/ | |
| ~ # ? | |
| ?: Permission denied | |
| ~ # help | |
| help: Permission denied | |
| ~ # - | |
| -: Permission denied | |
| ~ # . | |
| .: Permission denied | |
| ~ # , | |
| ,: Permission denied | |
| ~ # >ÄÖZL | |
| Redirection Not ~ # | |
| ~ # > | |
| /bin/sh: Syntax error: newline unexpected | |
| ~ # ct | |
| ct: Permission denied | |
| ~ # cat | |
| cat: Permission denied | |
| ~ # ls | |
| ls: Permission denied | |
| ~ # help | |
| help: Permission denied | |
| ~ # / | |
| / /bin/ /debug/ /etc/ /mnt/ /sbin/ /tmp/ /var/ | |
| /aruba/ /core /dev/ /lib/ /proc/ /sys/ /usr/ | |
| ~ # /sbin/ | |
| /sbin/adjtimex /sbin/show_stats_printk | |
| /sbin/dfs_test_override_channel_move /sbin/site_survey | |
| /sbin/dumptx /sbin/sysctl | |
| /sbin/fake_radar /sbin/syslogd | |
| /sbin/get_eth_files /sbin/tune_bin5burstint | |
| /sbin/ifconfig /sbin/tune_bin5burstthresh | |
| /sbin/init /sbin/tune_bin5dur | |
| /sbin/insmod /sbin/tune_bin5longpulse | |
| /sbin/klogd /sbin/tune_bin5pulseint | |
| /sbin/lsmod /sbin/tune_bin5rssi | |
| /sbin/makedevs /sbin/tune_bin5rssithresh | |
| /sbin/modprobe /sbin/tune_bin5start | |
| /sbin/print_radar /sbin/tune_bin5window | |
| /sbin/print_stats /sbin/tune_dur | |
| /sbin/reboot /sbin/tune_radar | |
| /sbin/reset_stats /sbin/tune_radarpower | |
| /sbin/rmmod /sbin/tune_rssi | |
| /sbin/route /sbin/udhcpc | |
| /sbin/show_stats /sbin/utelnetd | |
| ~ # /sbin/reboot | |
| /sbin/reboot: Permission denied | |
| ~ # ./sbin/reboot | |
| ./sbin/reboot: Permission denied | |
| ~ # ~ # |
Desoldered the chips, broke a few pads. Maybe could do pin lifting of the power pin instead?
root@gw1:~/ap-115# binwalk AP115-stock-SPI-dump-inner.rom
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
151112 0x24E48 Certificate in DER format (x509 v3), header length: 4, sequence length: 64
207472 0x32A70 CRC32 polynomial table, big endian
210252 0x3354C Base64 standard index table
244880 0x3BC90 Certificate in DER format (x509 v3), header length: 4, sequence length: 1300
327610 0x4FFBA Sercomm firmware signature, version control: 256, download control: 0, hardware ID: "AJX", hardware version: 0x0, firmware version: 0x15, starting code segment: 0x0, code size: 0x7310
327680 0x50000 JFFS2 filesystem, big endian
936012 0xE484C Zlib compressed data, compressed
937620 0xE4E94 Zlib compressed data, compressed
938972 0xE53DC Zlib compressed data, compressed
939232 0xE54E0 JFFS2 filesystem, big endian
991596 0xF216C Zlib compressed data, compressed
992488 0xF24E8 JFFS2 filesystem, big endian
1119856 0x111670 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 8484924 bytes
7493080 0x7255D8 Certificate in DER format (x509 v3), header length: 4, sequence length: 1165
7494532 0x725B84 Certificate in DER format (x509 v3), header length: 4, sequence length: 1165
16384560 0xFA0230 gzip compressed data, maximum compression, from Unix, last modified: 2013-09-29 03:49:44
root@gw1:~/ap-115# binwalk AP115-stock-SPI-dump.rom
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1049088 0x100200 ELF, 32-bit MSB MIPS64 executable, MIPS, version 1 (SYSV)
1119728 0x1115F0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6728308 bytes
5788648 0x5853E8 Certificate in DER format (x509 v3), header length: 4, sequence length: 1759
5789572 0x585784 Certificate in DER format (x509 v3), header length: 4, sequence length: 559
Booting likely happens from inner chip (the harder one to desolder...)
root@gw1:~/ap-115# grep -r "Erasing flash sector" .
grep: ./AP115-stock-SPI-dump-inner.rom: binary file matches
TODO: test if you can read the chip just by desoldering the power pin about 2.8kohm resistor (Note: hot air gun required anyway as the board is too thick for a soldering iron and the resistor too small)
Removing the resistor did not seem to work, another AP likely destroyed...
Again, likely only inner chip needs to be detached and flashed as it contains the bootloader strings:
# fgrep -r "Signer Cert OK" .
grep: ./AP115-stock-SPI-dump-inner.rom: binary file matchesrom dumps available upon request
AP-115 is now supported by OpenWrt officially:
Flashing instructions and full thanks to David Bauer for making this device functional!
Get firmware here.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
http://en.techinfodepot.shoutwiki.com/wiki/Aruba_Networks_AP-115_(APIN0115)
2x MX25L12845EMI-10G (unable to read either with a setup that can read AP-105). Takes 1.1A through power pin (underpowered?)