{"id":32,"date":"2020-03-08T21:51:38","date_gmt":"2020-03-08T20:51:38","guid":{"rendered":"http:\/\/10.11.14.2\/?p=32"},"modified":"2020-03-19T18:33:33","modified_gmt":"2020-03-19T17:33:33","slug":"fixing-a-bricked-sophos-ap15","status":"publish","type":"post","link":"https:\/\/themadengineer.net\/index.php\/2020\/03\/08\/fixing-a-bricked-sophos-ap15\/","title":{"rendered":"Fixing a bricked Sophos AP15"},"content":{"rendered":"\n<p class=\"has-normal-font-size\"><strong>Problem, background:<\/strong> My Sophos AP15 became \u2019bricked\u2019 after an update.<\/p>\n\n\n\n<p class=\"has-normal-font-size\"><strong>Symptom:<\/strong> The LED is solid orange (yellow) and there is no response using ethernet. In addition, no maintenance port exists, at least not on my AP.<\/p>\n\n\n\n<p><strong>Initial\nactions<\/strong>: \n<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A chat with Sophos support did not result in anything useful. <\/li><li>Googling the problem resulted in quite a few hits with people complaing about the same problem. <\/li><li>Good news: The AP is probably not dead. Something just went awfully wrong at while updating. <\/li><li>One solution was found; a german gentleman who removed a circuit and successfully reprogrammed it. However, this seems a bit complicated. Is there perhaps an easier way?<\/li><\/ul>\n\n\n\n<p><strong>Investigation:<\/strong><br>1. Open the AP. Four screws under the rubber pads.<br><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.madengineer.tech\/wp-content\/uploads\/2020\/03\/image.png\" alt=\"\" class=\"wp-image-37\" width=\"527\" height=\"395\" srcset=\"https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image.png 850w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-300x225.png 300w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-768x576.png 768w\" sizes=\"auto, (max-width: 527px) 100vw, 527px\" \/><figcaption>The inside of Sophos AP15<\/figcaption><\/figure><\/div>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>It\n\tlooks promising \u2013 there are two terminal blocks which may provide\n\ta way to communicate with the AP.\n\t<\/li><li>However,\n\tthe blocks are unmarked. This needs to be investigated.\n<\/li><\/ul>\n\n\n\n<p>2.  I look closer at the terminal blocks. Let&#8217;s say that the big one is <strong>A <\/strong>and the small one is <strong>B<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.madengineer.tech\/wp-content\/uploads\/2020\/03\/image-1.png\" alt=\"\" class=\"wp-image-41\" width=\"488\" height=\"366\" srcset=\"https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-1.png 1008w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-1-300x225.png 300w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-1-768x576.png 768w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-1-850x638.png 850w\" sizes=\"auto, (max-width: 488px) 100vw, 488px\" \/><figcaption>Names of terminal blocks<\/figcaption><\/figure><\/div>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Interface A is probably a 14 pin JTAG. <\/li><li>Interface B is more interesting. Could it be a serial interface? Now,<br>let\u00b4s number pins from left to right, 1 through 4 and do some measurements. <\/li><\/ul>\n\n\n\n<p>3.  Conduct some measurements with a DVM to find out what these pins actually do.  The AP is probably sending something when booting so conduct all measurements at startup.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"\"><tbody><tr><td><strong>Pin<\/strong><\/td><td><strong>Voltage DC<\/strong><\/td><td><strong>Voltage AC<\/strong><\/td><td><strong>Resistance (4k), ref GND<\/strong><\/td><\/tr><tr><td>1<\/td><td>2.57<\/td><td>0.03<\/td><td>OL<\/td><\/tr><tr><td>2<\/td><td>0.00<\/td><td>0.02<\/td><td>0.00<\/td><\/tr><tr><td>3<\/td><td>0.00<\/td><td>0.01<\/td><td>0.561<\/td><\/tr><tr><td>4<\/td><td>3.38<\/td><td>0.00<\/td><td>OL<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Pin 1 is most likely a TX pin <\/li><li>Pin 2 is a GND pin <\/li><li>Pin 3 is most likely an RX pin <\/li><li>Pin 4 is a VCC pin (3.3 VDC)<\/li><li>This could be a serial interface<\/li><\/ul>\n\n\n\n<p>4. Now, let\u2019s use an oscilloscope and have a look at pin 1.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"793\" height=\"506\" src=\"https:\/\/blog.madengineer.tech\/wp-content\/uploads\/2020\/03\/image-5.png\" alt=\"\" class=\"wp-image-52\" srcset=\"https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-5.png 793w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-5-300x191.png 300w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-5-768x490.png 768w\" sizes=\"auto, (max-width: 793px) 100vw, 793px\" \/><figcaption>Result when measuring at pin 1, 20 us\/DIV<\/figcaption><\/figure>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The signal looks very much like standard serial communication. <\/li><li>If it is a serial signal the first low part of the signal constitutes one bit.<\/li><\/ul>\n\n\n\n<p>5. Adjust the timebase to be able to measure the width.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"786\" height=\"506\" src=\"https:\/\/blog.madengineer.tech\/wp-content\/uploads\/2020\/03\/image-4.png\" alt=\"\" class=\"wp-image-50\" srcset=\"https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-4.png 786w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-4-300x193.png 300w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-4-768x494.png 768w\" sizes=\"auto, (max-width: 786px) 100vw, 786px\" \/><figcaption>Result when measuring at pin 1, 1 us\/DIV<\/figcaption><\/figure>\n\n\n\n<p>The width=t ~ 8.7 us which means baudrate=1\/t ~ 114943 baud. This number is very close to the standard baudrate = 115200.<\/p>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Terminal block B is a 3.3 V serial interface with the following pinout: <ul><li>Pin 1 is TX <\/li><li>Pin 2 is GND <\/li><li>Pin 3 is RX <\/li><li>Pin 4 is VCC (no use) <\/li><li>Baudrate is probably 115200<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>6. Now, I try the conclusion in 5. Use a TTL-USB converter cable. In my case, I already had a FTDI cable model TTL-232RG-VREG3V3-WE around. It has the following pinout:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.ftdichip.com\/Support\/Documents\/DataSheets\/Cables\/DS_TTL-232RG_CABLES.pdf\"><img loading=\"lazy\" decoding=\"async\" width=\"509\" height=\"240\" src=\"https:\/\/blog.madengineer.tech\/wp-content\/uploads\/2020\/03\/image-6.png\" alt=\"\" class=\"wp-image-54\" srcset=\"https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-6.png 509w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-6-300x141.png 300w\" sizes=\"auto, (max-width: 509px) 100vw, 509px\" \/><\/a><figcaption>Pinout for TTL-232RG-VREG3V3-WE (source: FTDI manual)<\/figcaption><\/figure><\/div>\n\n\n\n<p>7. I attach some test leads to the TTL-USB converter cable following the same colours as in the specification above. I attach them accordingly, i.e. TX-RX and RX-TX.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.madengineer.tech\/wp-content\/uploads\/2020\/03\/image-7.png\" alt=\"\" class=\"wp-image-56\" width=\"413\" height=\"310\" srcset=\"https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-7.png 1008w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-7-300x225.png 300w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-7-768x576.png 768w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-7-850x638.png 850w\" sizes=\"auto, (max-width: 413px) 100vw, 413px\" \/><figcaption>Attaching test leads to terminal B which is a 3.3V serial interface.<\/figcaption><\/figure><\/div>\n\n\n\n<p>8. I then fire up good old <a href=\"https:\/\/www.putty.org\/\">Putty<\/a> and use the following settings:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> Serial settings: 8N1 (most common), no Flow Control (flow control is rarely used these days)<\/li><li>Speed: 115200 baud<\/li><li>Com Port: COM10 (in my case. It may vary. Use Device manager to check)<\/li><\/ul>\n\n\n\n<p>9. I attach power to the AP and keep my fingers crossed.<\/p>\n\n\n\n<p>\n<em>Yipiieee!!! The\nresearch paid off. There is text on the screen!!!!<\/em><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>U-Boot 1.1.4-gb47de1b6 (Jan 24 2017 - 11:22:47)\nELX version: 1.0.0\n\n7679WSC - Scorpion 1.0DRAM:\nsri\nScorpion 1.0\nath_ddr_initial_config(178): (32bit) ddr2 init\ntap = 0x00000003\nTap (low, high) = (0x4, 0x1f)\nTap values = (0x11, 0x11, 0x11, 0x11)\n128 MB\nFlash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18\nFlash [MX25L12845E] sectors: 256\nFlash: 16 MB\n*** Warning *** : PCIe WLAN Module not found !!!\nIn:    serial\nOut:   serial\nErr:   serial\nNet:   ath_gmac_enet_initialize...\nathrs_sgmii_res_cal: cal value = 0x1\nath_gmac_enet_initialize: reset mask:c02200\nScorpion ----&gt;8035 PHY*\nAR8035 PHY reg init\n: cfg1 0x80000000 cfg2 0x7114\neth0: 00:00:aa:bb:cc:dd\nAR8035 found!\n[0:4]Phy ID 4d:d072\nPort 0, Neg Success\neth0 up\neth0\nSetting 0x18116290 to 0x458ba14f\nHit any key to stop autoboot:  0\n## Booting image at 9f070000 ...\n   Image Name:   MIPS OpenWrt Linux-3.18.11\n   Created:      2019-11-18   9:53:25 UTC\n   Image Type:   MIPS Linux Kernel Image (gzip compressed)\n   Data Size:    6900777 Bytes =  6.6 MB\n   Load Address: 80060000\n   Entry Point:  80060000\n   Verifying Checksum at 0x9f070040 ...Bad Data CRC<\/code><\/pre>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A standard boot loader, <a href=\"https:\/\/www.denx.de\/wiki\/U-Boot\/\">U-Boot<\/a> is used in Sophos AP 15. U-Boot can easibly be googled. <\/li><li>At the end it is obvious that it is indeed a firmware update that has gone wrong; \u2019Bad Data CRC\u2019 <\/li><li>The fault is in SW and thanks to the presence of U-Boot it might be fixable.<\/li><\/ul>\n\n\n\n<p>10. Now, let\u2019s restart the AP and interrupt the autoboot by pressing any key at the right time (see above, \u201dhit any key to stop autoboot\u2019). This brings us to a prompt, \u2019ath&gt;\u2019. Looking at the U-Boot manual on the internet I now try the command \u2019help\u2019 to see what it does. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ath&gt; help\n?       - alias for 'help'\nautoscr - run script from memory\nbase    - print or set address offset\nbdinfo  - print Board Info structure\nboot    - boot default, i.e., run 'bootcmd'\nbootd   - boot default, i.e., run 'bootcmd'\nbootelf - Boot from an ELF image in memory\nbootm   - boot application image from memory\nbootp   - boot image via network using BootP\/TFTP protocol\nbootvx  - Boot vxWorks from an ELF image\ncmp     - memory compare\nconinfo - print console devices and information\ncp      - memory copy\ncrc32   - checksum calculation\ndhcp    - invoke DHCP client to obtain IP\/boot params\necho    - echo args to console\nerase   - erase FLASH memory\nethreg    - S26 PHY Reg rd\/wr  utility\nexit    - exit script\nflinfo  - print FLASH memory information\ngo      - start application at address 'addr'\nhelp    - print online help\niminfo  - print header information for application image\nitest   - return true\/false on integer compare\nloop    - infinite loop on address range\nmd      - memory display\ncompute MD5 message digestmii     - MII utility commands\nmm      - memory modify (auto-incrementing)\nmtest   - simple RAM test\nmw      - memory write (fill)\nnfs     - boot image via network using NFS protocol\nnm      - memory modify (constant address)\npci     - list and access PCI Configuration Space\nping    - send ICMP ECHO_REQUEST to network host\npll cpu-pll dither ddr-pll dither - Set to change CPU &amp; DDR speed\npll erase\npll get\nprintenv- print environment variables\nprogmac - Set ethernet MAC addresses\nprotect - enable or disable FLASH write protection\nrarpboot- boot image via network using RARP\/TFTP protocol\nreset   - Perform RESET of the CPU\nrun     - run commands in an environment variable\nsaveenv - save environment variables to persistent storage\nsendmagic       - (usage) send\/broadcast MAGIC PACKET to network host\n                - &lt;timeout&gt; timeout for response\n                - &lt;retry&gt; number of times magic to be sent to network host\n                - &lt;devid_base_addr&gt; baseaddr of sector containing devid\n                - &lt;devid_len&gt; offset to base addr\n                - &lt;offset_to_baseaddr&gt; offset to base addr\nsendsts - send status of firmware recovery process\n                - &lt;stscode&gt; 0 - send apstate, non-zero - send specified statuscode\nsetenv  - set environment variables\nsleep   - delay execution for some time\ntest    - minimal test like \/bin\/sh\ntftpboot- boot image via network using TFTP protocol\nversion - print monitor version\nath&gt;<\/code><\/pre>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The full U-Boot seems to be present and there are several useful commands available. <\/li><li>A new firmware is most likely transferred by using <a href=\"https:\/\/en.wikipedia.org\/wiki\/Trivial_File_Transfer_Protocol\">TFTP<\/a> (Trivial File Transfer Protocol), i.e. tftpboot. TFTP is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. <\/li><\/ul>\n\n\n\n<p>11. If indeed tftpboot is used, I want to know how it is configured, i.e. I want to know the IP of the AP and the IP of the server where the AP expects the firmware to be. There should be no harm in trying that command when the AP is not connected to anything. So, let\u2019s try \u2019tftpboot\u2019 at the prompt. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ath&gt; tftpboot\neth0 link down\nUsing eth0 device\nTFTP from server 192.168.99.8; our IP address is 192.168.99.9\nFilename 'uImage_AP15'.\nLoad address: 0x81000000\nLoading: Tx Timed out\nAbort\nath&gt;<\/code><\/pre>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>It is highly likely that tftpboot is used to download a new firmware to the AP using the below parameters: <ul><li>The IP of the AP is: 192.168.99.9 <\/li><li>The IP of the server, i.e. usually the firewall itself, is: 192.168.99.8 <\/li><li>The filename of the image the AP tries to download is: uImage_AP15  <\/li><\/ul><\/li><\/ul>\n\n\n\n<p>12. The way forward must then be to create a local environment as above, i.e. to create a TFTP-server with the image file on it and then connect the AP to it. Now, the next step is to find the firmware. I spent quite a bit of time looking on Sophos homepage but I was unable to find any firmware. <\/p>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The\n\tfirmware is probably distributed as a part of an update for the\n\tentire firewall. In that case, the firmware should be present as a\n\tfile called \u2019uImage_AP15\u2019 somewhere in the file system of the\n\tfirewall.\n<\/li><\/ul>\n\n\n\n<p>13. I enable SSH access in the firewall (I usually keep SSH access disabled). <\/p>\n\n\n\n<p>14. I connect to the firewall using <a href=\"https:\/\/www.putty.org\/\">Putty<\/a> and use the Unix command \u2019find\u2019 to look for \u2019AP15\u2019. I get a hit in \/etc\/wireless\/firmware. Good, the path name makes sense.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>loginuser@stargate:\/etc\/wireless\/firmware &gt; ls -al\ntotal 74140\ndrwxr-xr-x 2 root root     4096 Feb 10 18:49 .\ndrwxr-xr-x 4 root root     4096 Nov 20 14:48 ..\n-rw-r--r-- 1 root root      134 Nov 20 11:55 AP100C.devinfo\n-rw-r--r-- 1 root root  7147656 Nov 20 11:55 AP100C.uimage\n-rw-r--r-- 1 root root      133 Nov 20 11:55 AP100.devinfo\n-rw-r--r-- 1 root root  7149112 Nov 20 11:55 AP100.uimage\n-rw-r--r-- 1 root root      134 Nov 20 11:55 AP100X.devinfo\n-rw-r--r-- 1 root root  7147507 Nov 20 11:55 AP100X.uimage\n-rw-r--r-- 1 root root      124 Nov 20 11:54 AP10.devinfo\n-rw-r--r-- 1 root root  2872508 Nov 20 11:54 AP10.uimage\n-rw-r--r-- 1 root root      133 Nov 20 11:54 AP15C.devinfo\n-rw-r--r-- 1 root root  6896868 Nov 20 11:54 AP15C.uimage\n-rw-r--r-- 1 root root      132 Nov 20 11:54 AP15.devinfo\n-rw-r--r-- 1 root root  6900841 Nov 20 11:54 AP15.uimage\n-rw-r--r-- 1 root root      124 Nov 20 11:54 AP30.devinfo\n-rw-r--r-- 1 root root  2872041 Nov 20 11:54 AP30.uimage\n-rw-r--r-- 1 root root      124 Nov 20 11:55 AP50.devinfo\n-rw-r--r-- 1 root root  3897845 Nov 20 11:55 AP50.uimage\n-rw-r--r-- 1 root root      133 Nov 20 11:55 AP55C.devinfo\n-rw-r--r-- 1 root root  7145137 Nov 20 11:55 AP55C.uimage\n-rw-r--r-- 1 root root      132 Nov 20 11:55 AP55.devinfo\n-rw-r--r-- 1 root root  7148578 Nov 20 11:55 AP55.uimage\n-rw-r--r-- 1 root root       53 Nov 20 14:48 AP5.devinfo\n-rw-r--r-- 1 root root      249 Nov 20 11:55 APX.devinfo\n-rw-r--r-- 1 root root 16654365 Nov 20 11:55 APX.uimage\n-rw-r--r-- 1 root root       56 Nov 20 15:18 RED15w.devinfo\nloginuser@stargate:\/etc\/wireless\/firmware &gt;<\/code><\/pre>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The folder seems to contain firmware for all Sophos AP products, including the one I want, AP15. Two files are of interest for my AP:<ul><li>AP15.uimage, 6900841 bytes<\/li><li>AP15.devinfo, 132 bytes<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>14. I download all files in the folder on my firewall using the <a href=\"https:\/\/www.bitvise.com\/\">Bitvise SSH Client<\/a>.<\/p>\n\n\n\n<p>15. Looking at AP.devinfo with <a href=\"https:\/\/notepad-plus-plus.org\/\">Notepad++<\/a> results in the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>DEVICE_TYPE=AP15\nFIRMWARE_VERSION=9500-wifi-0c67c7fe-b19f3b0\nQCA_VERSION=c3496dd\nFIRMWARE_LENGTH=6900841\nFIRMWARE_TAG=apfw_11.0.010<\/code><\/pre>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The length specified in the devinfo file matches the size on disk for the uimage file. <\/li><li>No CRC info but since the firmware is distributed as a part of the update bundle for the entire firewall it is likely that this file is intact and that the CRC error is a result from a bad transfer from the firewall to the AP. <\/li><\/ul>\n\n\n\n<p>17. Now I have to use a local TFTP server. I guess any SW can be used but I download and install <a href=\"https:\/\/sourceforge.net\/projects\/tftp-server\/\">this<\/a> tftp server from Sourceforge.  <\/p>\n\n\n\n<p>18. I configure the TFTP-server. The setup is quite straight forward. The IP from 11 is used, i.e. the address that the AP wants to have: 192.168.99.8. <\/p>\n\n\n\n<p>19. I connect the AP to a switch which is also connected to the NIC of my computer where the TFTP Server has been installed. <\/p>\n\n\n\n<p>20. I copy the firmware, \u2019AP15.uimage\u2019, into the root directory of  the TFTP Server and rename it like the AP wants, i.e. \u2019uImage_AP15\u2019 (without filetype for some, unknown reason). <\/p>\n\n\n\n<p>21. I now connect to the AP again using the serial interface and interrupt the autoboot as in 10 to get to the prompt. <\/p>\n\n\n\n<p>22. At the prompt I now type \u2019tftpboot\u2019 and keep my fingers crossed. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ath&gt; tftpboot\nSpeed is 100TX\nUsing eth0 device\nTFTP from server 192.168.99.8; our IP address is 192.168.99.9\nFilename 'uImage_AP15'.\nLoad address: 0x81000000\nLoading: #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         #################################################################\n         ################################################\ndone\nBytes transferred = 6900841 (694c69 hex)\nath&gt;<\/code><\/pre>\n\n\n\n<p>\n<em>Great!\nThis looks promising!<\/em><\/p>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Now\n\tI have the firmware image at 0x81000000.\n\t<\/li><li>However,\n\taccording to 9 the AP wants to boot from 0x9f070000. Why\n\tdoesn\u2019t this match?\n\t<\/li><li>After\n\ta bit of googling I realize that the procedure is first to download\n\ta new image, then erase the previous version and finally copy the\n\tnew image to the correct address, in this case 0x9f070000.\n\t<\/li><li>Therefore,\n\tthe next step is to erase the erroneous (bad CRC) section in the\n\tflash memory of the AP and finally write the image now located at\n\t0x81000000 to the correct address from where AP is trying to boot.\n<\/li><\/ul>\n\n\n\n<p>23. Erasing is possible using the command found in 10. So, now I need to find the EXACT part to erase. The command \u2019bdinfo\u2019 seems to be a good choice. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ath&gt; bdinfo\nboot_params = 0x87F7BFB0\nmemstart    = 0x80000000\nmemsize     = 0x08000000\nflashstart  = 0x9F000000\nflashsize   = 0x01000000\nflashoffset = 0x00029BE4\nethaddr     = 00:00:AA:BB:CC:DD\nip_addr     = 192.168.99.9\nbaudrate    = 115200 bps\nath&gt;<\/code><\/pre>\n\n\n\n<p>24. From 9 I know that the AP wants to boot from 0x9f070000 so that is obviously the start address. After a bit of googling I realize that the key is the parameter flashsize in 23, i.e. the end address is simply 0x9f070000 plus 0x01000000. This can be done using the Windows Calculator and the result is  0xA0070000.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"346\" height=\"243\" src=\"https:\/\/blog.madengineer.tech\/wp-content\/uploads\/2020\/03\/image-8.png\" alt=\"\" class=\"wp-image-59\" srcset=\"https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-8.png 346w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/image-8-300x211.png 300w\" sizes=\"auto, (max-width: 346px) 100vw, 346px\" \/><\/figure><\/div>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The start address and the end address have been found and the command to use should be \u2019era 0x9f070000 0xA0070000\u2019 at the prompt in the AP. <\/li><\/ul>\n\n\n\n<p>25. So, time to erase, a VERY SCARY operation, indeed. However, after having double checked everything a couple of times I think I am ready to proceed. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ath&gt; era 0x9f070000 0xA0070000\nErasing flash...\nFirst 0x7 last 0xff sector size 0x10000                                      255\nErased 249 sectors\nath&gt;<\/code><\/pre>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>No smoke or anything. It seems OK but I cannot tell if everything is fine until after the final step. <\/li><\/ul>\n\n\n\n<p>26. So, to the best of my knowledge this should be the final step, i.e. copying the firmware from 0x81000000 to 0x9f070000. Reading the U-Boot manual I conclude that the command is:<br>cp.b &lt;from_address&gt; &lt;to_address&gt; &lt;size&gt;<br><br>In my case this is:<br>cp.b 0x81000000 0x9f070000 0x694c69<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ath&gt; cp.b 0x81000000 0x9f070000 0x694c69\nCopy to Flash...\n Copy 6900841 [0x694c69] byte to Flash... write addr: 9f070000\ndone\nath&gt;<\/code><\/pre>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>OK,\n\tagain no smoke. The copying is done and everything seems OK.\n<\/li><\/ul>\n\n\n\n<p>27. The final step is now to try to boot the AP. This is done using the command \u2019boot\u2019at the prompt.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ath&gt; boot\n## Booting image at 9f070000 ...\n   Image Name:   MIPS OpenWrt Linux-3.18.11\n   Created:      2019-11-18   9:53:25 UTC\n   Image Type:   MIPS Linux Kernel Image (gzip compressed)\n   Data Size:    6900777 Bytes =  6.6 MB\n   Load Address: 80060000\n   Entry Point:  80060000\n   Verifying Checksum at 0x9f070040 ...OK\n   Uncompressing Kernel Image ... OK\n\nStarting kernel ...\n\n[    0.000000] Linux version 3.18.11 (bamboo@ip-10-104-116-153) (gcc version 4.8                                                           .3 (OpenWrt\/Linaro GCC 4.8-2014.04 unknown) ) #3 Mon Nov 18 09:53:13 UTC 2019\n[    0.000000] bootconsole [early0] enabled\n[    0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)\n[    0.000000] SoC: Qualcomm Atheros QCA9558 ver 1 rev 0\n\n\u2026&lt;snip&gt;<\/code><\/pre>\n\n\n\n<p><em>Yay!!!!!!!!!!<\/em><br><em>Much better than a CRC failure&#8230;.!!<\/em><\/p>\n\n\n\n<p>Conclusion, notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>After having disconnected the serial interface and put the AP back together it was installed in my system again and it immediately worked perfectly <em>\ud83d\ude0a<\/em>. <\/li><li>A few hours of investigation (and fun) paid off. <\/li><li>Never give up if there is still hope! <\/li><li>Things certainly do not always work out the way you want or expect. So, do not underestimate what some good whisky can do along the way to keep your spirits up! <\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1008\" height=\"756\" src=\"https:\/\/blog.madengineer.tech\/wp-content\/uploads\/2020\/03\/Whisky_small.jpg\" alt=\"\" class=\"wp-image-62\" srcset=\"https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/Whisky_small.jpg 1008w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/Whisky_small-300x225.jpg 300w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/Whisky_small-768x576.jpg 768w, https:\/\/themadengineer.net\/wp-content\/uploads\/2020\/03\/Whisky_small-850x638.jpg 850w\" sizes=\"auto, (max-width: 1008px) 100vw, 1008px\" \/><figcaption>Ardbeg &#8211; fuelling the work<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Problem, background: My Sophos AP15 became \u2019bricked\u2019 after an update. Symptom: The LED is solid orange (yellow) and there is no response using ethernet. In addition, no maintenance port exists, at least not on my AP. Initial actions: A chat with Sophos support did not result in anything useful. Googling the problem resulted in quite&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[18],"tags":[7,8,4,5,3,6],"class_list":["post-32","post","type-post","status-publish","format-standard","hentry","category-hardware","tag-accesspoint","tag-ap15","tag-bricked","tag-problem","tag-sophos","tag-tftp"],"_links":{"self":[{"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/posts\/32","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/comments?post=32"}],"version-history":[{"count":30,"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/posts\/32\/revisions"}],"predecessor-version":[{"id":177,"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/posts\/32\/revisions\/177"}],"wp:attachment":[{"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/media?parent=32"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/categories?post=32"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/themadengineer.net\/index.php\/wp-json\/wp\/v2\/tags?post=32"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}