mirror of
https://github.com/openwrt/openwrt.git
synced 2026-06-17 12:40:16 +04:00
Lukas Stockner
d2a75029a5
This is a dual-radio 802.11a/b/g/n/ac access point with
dual Gigabit Ethernet.
There are two closely related models: The AP-324, which has external
antenna connectors, and the AP-325, which has internal antennas.
The board appears to be identical, and the same image works on both.
Additionally, the Siemens Scalance W1750D is an OEM variant using
the same board, so the image also works on that.
Unfortunately the factory APBoot bootloader enforces cryptographic
signatures on the firmware before booting, so a modified version
must be flashed via the serial port. See [^1] for details.
Specifications
==============
* Device: Aruba AP-325 / AP-324
* SoC: Qualcomm IPQ8068 2x1.4GHz ARMv7-A
* RAM: 512MiB (2x Winbond W632GU6MB-12)
* SPI flash: 4MiB Macronix MX25U3235F
* NAND flash: 128MiB Winbond W29N01HZBINF
* WiFi: 2x Qualcomm QCA9990 (one 2.4G, one 5G)
* Ethernet: 2x 1000BASE-T (Marvell 88E1514 PHY), both PoE-capable
* Power: PoE 802.3at or 12V DC jack
* LEDs: Red/Amber/Green status LED, Amber/Green WiFi LED
* Buttons: 1x, behind hole next to DC jack
* Console: RJ45 connector, Cisco pinout
* USB: 1x USB 2.0 Type A, 1x internal to BLE, SoC has USB 3.0
host but board is only wired for 2.0
* BLE: TI CC2540 SoC, connected to USB and UART, unpopulated
debug header on PCB
* TPM: Atmel AT97SC3205T
How to install
==============
The stock bootloader APBoot appears to be vendor fork of U-Boot, which
disables much of the usual functionality and comes with its own booting
and firmware upgrade logic.
Unfortunately, this logic enforces RSA signatures on images,
even for the default boot from NAND.
Therefore, a patched bootloader is needed, which is built as a package.
In addition to the signature check removal, this also changes
the serial baudrate to 115200.
Luckily, the stock firmware does not disable the `sf` command
(it just hides it until you run `diag`), so the patched bootloader
can be fetched via TFTP and then flashed via console.
Flashing patched APBoot
-----------------------
* Build OpenWrt, or download `openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn`
* Connect serial cable and wired ethernet
* Access stock APBoot console at Baud 9600
* Flash patched bootloader:
```
setenv serverip <your TFTP server IP>
setenv autostart n
netget 44000000 openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn
sf probe 0
sf erase 220000 100000
sf write 44000000 220000 100000
reset
```
Booting OpenWrt
---------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Run `setenv serverip <your TFTP server IP>`
* Run `tftpboot openwrt-ipq806x-generic-aruba_ap-32x-initramfs.ari`
Installing OpenWrt
------------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Consider backing up stock firmware(s) (UBI volumes `aos0` and/or `aos1`)
by booting into OpenWrt via initramfs (see above) and dumping them
* Wipe and repartition NAND flash (see below for explanation):
```
nand device 0
nand erase.chip
reset
ubi part ubifs
ubi remove ubifs
ubi create ubifs 1
ubi create rootfs_data
```
* Follow steps above to boot OpenWrt via initramfs
* From OpenWrt, persist installation via sysupgrade
Reverting to stock FW
---------------------
The patched bootloader remains compatible with the original firmware,
so you can just wipe the NAND, let APBoot recreate the partitions,
and flash back the `aos0`/`aos1` backup from above.
Current status
==============
Tested and working
------------------
* Console
* Wired GbE (both ports)
* WiFi (both 2.4G and 5G)
* LEDs
* Restart Button
* USB port
* External watchdog
* TPM
* BLE SoC
Future work
-----------
* GPIOs for:
* power source (8 indicates DC jack, 59 indicates 802.3at)
* reset source (64 for warm reset, 65 for watchdog)
* USB overcurrent (63)
* BLE SoC reflashing
* CC2540 comes with Aruba-specific FW out of the box
* Debug header is exposed on PCB (pinout GND-VCC-Clock-Data-Reset),
but that requires disassembly
* Stock BLE FW appears to support reflashing via UART, but protocol
would need to be reverse-engineered
* ramoops/pstore
* It appears that APBoot clears the RAM on boot, might be something
we can patch out as well
* Porting a modern U-Boot
Flash layout
============
SPI flash
---------
```
0x000000-0x020000 sbl1
0x020000-0x040000 mibib
0x040000-0x080000 sbl2
0x080000-0x100000 sbl3
0x100000-0x110000 ddrconfig
0x110000-0x120000 ssd
0x120000-0x1a0000 tz
0x1a0000-0x220000 rpm
0x220000-0x320000 appsbl
0x320000-0x330000 appsblenv
0x330000-0x370000 art
0x370000-0x380000 panicdump
0x380000-0x390000 certificate
0x390000-0x3a0000 mfginfo
0x3a0000-0x3b0000 flashcache
0x3b0000-0x400000 aosspare
```
Factory NAND flash
------------------
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains kernel+initrd of the primary firmware,
initrd contains the entire root FS
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains kernel+initrd of the secondary firmware,
initrd contains the entire root FS
* 64MiB MTD partition `ubifs`, formatted as UBI
* 64MiB UBI volume `ubifs`
* Contains UBIFS, overlay-mounted on top of the initrd,
shared between firmware slots
APBoot understands UBI, and will read the kernel from the
`aos0` or `aos1` volume (depending on `os_partition`)
with fallback to the other one in case a check fails.
Kernels are expected to have a vendor-specific header, the included
script will add that header with the correct checksum but no signature.
OpenWrt NAND flash
------------------
OpenWrt assumes separate UBI volumes for kernel and rootfs,
as well as a volume that must be named `rootfs_data` for the UBIFS.
Unfortunately, APBoot actively checks the UBI volumes at boot, and will
repartition if it doesn't find the volumes that it expects (listed above).
Luckily, it doesn't check their size, only their existence. Therefore,
we can use the following layout:
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains OpenWrt kernel+initrd
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains OpenWrt root squashfs
* 64MiB MTD partition `ubifs`, formatted as UBI
* small (single-LEB) UBI volume `ubifs`
* Dummy volume, only there to satisfy APBoot
* almost 64MiB UBI volume `rootfs_data`
* contains UBIFS, overlay-mounted on top of the rootfs
[^1]: https://github.com/lukasstockner/ap325-apboot-openwrt
Signed-off-by: Lukas Stockner <lukas@lukasstockner.de>
Link: https://github.com/openwrt/openwrt/pull/20738
Signed-off-by: Paul Spooren <mail@aparcar.org>