Created
December 9, 2022 17:30
-
-
Save Python1320/b67449388a178fa1f1718c74ecb075ad to your computer and use it in GitHub Desktop.
Aruba Networks AP-115 (APIN0115) reversing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| APBoot 1.4.0.5 (build 38142) | |
| Built: 2013-04-21 at 22:03:44 | |
| Model: AP-11x | |
| CPU: QCA9550 revision: 1.0 | |
| Clock: 720 MHz, DDR rate: 600 MHz, Bus clock: 200 MHz | |
| DRAM: 256 MB | |
| POST1: passed | |
| Copy: done | |
| Flash: 32 MB | |
| Power: DC | |
| PCI: scanning bus 0 ... | |
| dev fn venID devID class rev MBAR0 MBAR1 MBAR2 MBAR3 | |
| 00 00 168c 0033 00002 01 00000004 00000000 00000000 00000000 | |
| Net: eth0 | |
| Radio: ar9590#0, qca9550#1 | |
| **** Configuration Reset Requested by User **** | |
| Clearing state... Checking OS image and flags | |
| Image is signed; verifying checksum... passed | |
| Clearing image partition 0 | |
| Erasing flash sector @ 0xbf100000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbff80000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbff90000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbffb0000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbffc0000....done | |
| Erased 1 sectors | |
| Erasing flash sector @ 0xbffd0000....done | |
| Erased 1 sectors | |
| done | |
| Purging environment... Un-Protected 1 sectors | |
| .done | |
| Erased 1 sectors | |
| Writing | |
| done | |
| Hit <Enter> to stop autoboot: 0 | |
| apboot> help | |
| ? - alias for 'help' | |
| boot - boot the OS image | |
| clear - clear the OS image or other information | |
| dhcp - invoke DHCP client to obtain IP/boot params | |
| factory_reset - reset to factory defaults | |
| help - print online help | |
| mfginfo - show manufacturing info | |
| osinfo - show the OS image version(s) | |
| ping - send ICMP ECHO_REQUEST to network host | |
| printenv - print environment variables | |
| purgeenv - restore default environment variables | |
| reset - Perform RESET of the CPU | |
| saveenv - save environment variables to persistent storage | |
| setenv - set environment variables | |
| tftpboot - boot image via network using TFTP protocol | |
| upgrade - upgrade the APBoot or OS image | |
| version - display version | |
| apboot> reset | |
| APBoot 1.4.0.5 (build 38142) | |
| Built: 2013-04-21 at 22:03:44 | |
| Model: AP-11x | |
| CPU: QCA9550 revision: 1.0 | |
| Clock: 720 MHz, DDR rate: 600 MHz, Bus clock: 200 MHz | |
| DRAM: 256 MB | |
| POST1: passed | |
| Copy: done | |
| Flash: 32 MB | |
| Power: DC | |
| PCI: scanning bus 0 ... | |
| dev fn venID devID class rev MBAR0 MBAR1 MBAR2 MBAR3 | |
| 00 00 168c 0033 00002 01 00000004 00000000 00000000 00000000 | |
| Net: eth0 | |
| Radio: ar9590#0, qca9550#1 | |
| Hit <Enter> to stop autoboot: 0 | |
| Checking image @ 0xbf100000 (bank 1) | |
| Invalid image format version: 0xffffffff | |
| Switching to flash bank: 2 | |
| Checking image @ 0xbf100000 (bank 2) | |
| Image is signed; verifying checksum... passed | |
| Signer Cert OK | |
| Policy Cert OK | |
| RSA signature verified. | |
| ELF file is 32 bit | |
| Loading .text @ 0x80e00000 (4672968 bytes) | |
| Loading .data @ 0x81274dd0 (32 bytes) | |
| Clearing .bss @ 0x81274df0 (16 bytes) | |
| ## Starting application at 0x80e00000 ... | |
| Uncompressing............................................ | |
| Aruba Networks | |
| ArubaOS Version 6.3.1.0 (build 38874 / label #38874) | |
| Built by p4build@cyprus on 2013-07-03 at 19:14:29 PDT (gcc version 4.3.3) | |
| CPU Rev: 1130 | |
| 955x CPU | |
| flash_size passed from bootloader = 32 | |
| arg 1: mem=256M | |
| Flash variant: default | |
| cpu apb ddr apb ath_955x_sys_frequency: cpu 720 ddr 600 ahb 200 | |
| Cache parity protection disabled | |
| ath_timer_init: plat time init done | |
| Using 360.000 MHz high precision timer. cycles_per_jiffy=720000 | |
| Memory: 251520k/262144k available (1927k kernel code, 10420k reserved, 844k data, 3796k init, 0k highmem) | |
| available. | |
| detected lzma initramfs | |
| initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=17933312 | |
| LZMA initramfs by Ming-Ching Tiew <[email protected]> .................................................................................................................................................................................................................................................................................. | |
| qca955x_pcibios_init: bus 0 | |
| qca955x_pcibios_init(1239): PCI 0 CMD write: 0x356 | |
| qca955x_pcibios_init: bus 1 | |
| qca955x_pcibios_map_irq: IRQ 75 for bus 0 | |
| ATH GPIOC major 0 | |
| wdt: registered with refresh | |
| Enabling Watchdog | |
| Talisker RSSI LED initialization | |
| Concatenating MTD devices: | |
| (0): "bank1" | |
| (1): "bank2" | |
| into device "flash" | |
| Creating 1 MTD partitions on "flash": | |
| 0x00000000-0x02000000 : "flash" | |
| i2c /dev entries driver | |
| i2c-talisker: using default base 0x18040000 | |
| lo: Disabled Privacy Extensions | |
| IPv6 over IPv4 tunneling driver | |
| Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT | |
| Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT | |
| Starting Kernel DES KAT ...Completed Kernel DES KAT | |
| Starting Kernel AES KAT ...Completed Kernel AES KAT | |
| Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT | |
| Domain Name: arubanetworks.com | |
| No panic info available | |
| apfcutil: sector CACHE: Cache uninitialized | |
| apfcutil: sector RAP: Cache uninitialized | |
| apfcutil -c RAP: Uninitialized. Initializing......... | |
| apfcutil: sector MESH Prov: Cache uninitialized | |
| qca955x_GMAC: Length per segment 1536 | |
| 955x_GMAC: qca955x_gmac_attach | |
| 955x_GMAC: qca955x_set_gmac_caps | |
| Currently in polling mode unit0 | |
| mac:0 Registering S17.... | |
| qca955x_GMAC: RX TASKLET - Pkts per Intr:100 | |
| qca955x_GMAC: Mac address for unit 0:8079bbc0 | |
| qca955x_GMAC: 24:de:c6:ca:b0:b0 | |
| qca955x_GMAC: Max segments per packet : 1 | |
| qca955x_GMAC: Max tx descriptor count : 128 | |
| qca955x_GMAC: Max rx descriptor count : 128 | |
| qca955x_GMAC: Mac capability flags : 2201 | |
| _athrs17_mac0_intf done | |
| athrs17_reg_init:done | |
| Phy setup Complete | |
| drvlog_mod: module license 'Proprietary' taints kernel. | |
| AP xml model 72, num_radios 2 (jiffies 4435) | |
| init_asap_mod: installation:0 | |
| radio 0: band 1 ant 0 max_ssid 16 | |
| radio 1: band 0 ant 0 max_ssid 16 | |
| Starting watchdog process... | |
| Getting an IP address... | |
| To set s17 LOOKUP_CTRL_REG registers, flag 0 | |
| athr_gmac_ring_alloc Allocated 2048 at 0x806cb000 | |
| athr_gmac_ring_alloc Allocated 2048 at 0x8ee70800 | |
| 955x_GMAC: eth0 in RGMII MODE | |
| Scorpion -----> S17 PHY | |
| FINAL XMII VAL after RX Calibration - 0x84000101 | |
| Error: cannot be initialized twice! | |
| athrs17_reg_init:done | |
| Setting PHY... | |
| Phy setup Complete | |
| To set s17 LOOKUP_CTRL_REG registers, flag 1 | |
| ADDRCONF(NETDEV_UP): bond0: link is not ready | |
| help | |
| ~ # ls | |
| ls: Permission denied | |
| ~ # help | |
| help: Permission denied | |
| ~ # commands | |
| commands: Permission denied | |
| ~ # ~ # | |
| ~ # | |
| ~ # bash | |
| bash: Permission denied | |
| ~ # / | |
| / /bin/ /dev/ /lib/ /proc/ /sys/ /usr/ | |
| /aruba/ /debug/ /etc/ /mnt/ /sbin/ /tmp/ /var/ | |
| ~ # / | |
| / /bin/ /dev/ /lib/ /proc/ /sys/ /usr/ | |
| /aruba/ /debug/ /etc/ /mnt/ /sbin/ /tmp/ /var/ | |
| ~ # /bin/ | |
| /bin/ash /bin/dmesg /bin/kill /bin/ping6 /bin/sync | |
| /bin/brctl /bin/echo /bin/ln /bin/ps /bin/tar | |
| /bin/busybox /bin/egrep /bin/ls /bin/pwd /bin/touch | |
| /bin/cat /bin/false /bin/mkdir /bin/rm /bin/true | |
| /bin/chgrp /bin/fgrep /bin/mknod /bin/rmdir /bin/umount | |
| /bin/chmod /bin/grep /bin/mktemp /bin/sc.awk /bin/uname | |
| /bin/chown /bin/gunzip /bin/more /bin/sed /bin/vi | |
| /bin/cp /bin/gzip /bin/mount /bin/sh /bin/zcat | |
| /bin/date /bin/hostname /bin/mv /bin/sleep | |
| /bin/dd /bin/ip /bin/netstat /bin/ss.awk | |
| /bin/df /bin/ipcalc /bin/ping /bin/stty | |
| ~ # /bin/mv | |
| /bin/mv: Permission denied | |
| ~ # chmod | |
| chmod: Permission denied | |
| ~ # busybox | |
| busybox: Permission denied | |
| ~ # /aruba/ | |
| /aruba/bin/ /aruba/conf/ /aruba/lib/ | |
| ~ # /aruba/conf/ | |
| /aruba/conf/mini_httpd.pem /aruba/conf/stm.cfg | |
| ~ # /aruba/conf/ | |
| /aruba/conf/mini_httpd.pem /aruba/conf/stm.cfg | |
| ~ # /aruba/conf/ | |
| ~ # ? | |
| ?: Permission denied | |
| ~ # help | |
| help: Permission denied | |
| ~ # - | |
| -: Permission denied | |
| ~ # . | |
| .: Permission denied | |
| ~ # , | |
| ,: Permission denied | |
| ~ # >ÄÖZL | |
| Redirection Not ~ # | |
| ~ # > | |
| /bin/sh: Syntax error: newline unexpected | |
| ~ # ct | |
| ct: Permission denied | |
| ~ # cat | |
| cat: Permission denied | |
| ~ # ls | |
| ls: Permission denied | |
| ~ # help | |
| help: Permission denied | |
| ~ # / | |
| / /bin/ /debug/ /etc/ /mnt/ /sbin/ /tmp/ /var/ | |
| /aruba/ /core /dev/ /lib/ /proc/ /sys/ /usr/ | |
| ~ # /sbin/ | |
| /sbin/adjtimex /sbin/show_stats_printk | |
| /sbin/dfs_test_override_channel_move /sbin/site_survey | |
| /sbin/dumptx /sbin/sysctl | |
| /sbin/fake_radar /sbin/syslogd | |
| /sbin/get_eth_files /sbin/tune_bin5burstint | |
| /sbin/ifconfig /sbin/tune_bin5burstthresh | |
| /sbin/init /sbin/tune_bin5dur | |
| /sbin/insmod /sbin/tune_bin5longpulse | |
| /sbin/klogd /sbin/tune_bin5pulseint | |
| /sbin/lsmod /sbin/tune_bin5rssi | |
| /sbin/makedevs /sbin/tune_bin5rssithresh | |
| /sbin/modprobe /sbin/tune_bin5start | |
| /sbin/print_radar /sbin/tune_bin5window | |
| /sbin/print_stats /sbin/tune_dur | |
| /sbin/reboot /sbin/tune_radar | |
| /sbin/reset_stats /sbin/tune_radarpower | |
| /sbin/rmmod /sbin/tune_rssi | |
| /sbin/route /sbin/udhcpc | |
| /sbin/show_stats /sbin/utelnetd | |
| ~ # /sbin/reboot | |
| /sbin/reboot: Permission denied | |
| ~ # ./sbin/reboot | |
| ./sbin/reboot: Permission denied | |
| ~ # ~ # |
Booting likely happens from inner chip (the harder one to desolder...)
root@gw1:~/ap-115# grep -r "Erasing flash sector" .
grep: ./AP115-stock-SPI-dump-inner.rom: binary file matches
TODO: test if you can read the chip just by desoldering the power pin about 2.8kohm resistor (Note: hot air gun required anyway as the board is too thick for a soldering iron and the resistor too small)
Removing the resistor did not seem to work, another AP likely destroyed...
Again, likely only inner chip needs to be detached and flashed as it contains the bootloader strings:
# fgrep -r "Signer Cert OK" .
grep: ./AP115-stock-SPI-dump-inner.rom: binary file matchesrom dumps available upon request
AP-115 is now supported by OpenWrt officially:
Flashing instructions and full thanks to David Bauer for making this device functional!
Get firmware here.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Desoldered the chips, broke a few pads. Maybe could do pin lifting of the power pin instead?