Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 6 of 6
  1. #1

    How to recovery firmware via console port when your device has down? For EAP120/220/320 only

    Dear all forum members,

    Recently we have received feedback that some users got their devices down during firmware upgrading, thus here we got some methods for you all to recovery it.
    While unfortunately, this method is only available for EAP120/220/320, since only the three models are equipped with console port, kindly noted.
    Sorry for this inconvenient and please kindly share your understanding if this method is not suitable to you.

    We have already upload the image file and guide document, then you can download them freely in the following link according to your actual model:




    If you are faced with any difficulties during these operations, feel free to follow up in this post.
    Finally, will you all success !

    TP-Link Technical Support Team
    Last edited by Rain_TP-Link; 09-13-2017 at 10:45.

  2. #2
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Great, thank you!

    To recover the firmware for an EAP110 (and probably the EAP220/320, too), you could use pretty much the same procedure, but have to enable the console port first. Here it is how it works on EAP110 (note that it will void your warranty I guess):

    1. Remove the 4 rubber pads and the screws on the bottom.

    Name:  IMG_7001.JPG
Views: 0
Size:  35.6 KB

    2. Carefully lift of the top from the bottom case. Take care to not break the four strap joints - one on each side - so better use a tool for unmounting (if you don't have such a tool at hand, use a guitar pick or similar). Start with the front side (where the LED sits) and proceed to back side last. See second picture below for the position of the strap joints:

    Name:  IMG_7005.JPG
Views: 0
Size:  37.7 KB Name:  IMG_7008.JPG
Views: 0
Size:  32.5 KB

    3. On the PCB board the J3 header is the console. Leftmost pin is Vcc (3,3V), next one is GND, second-right is RxD, rightmost is TxD. Either connect your 3.3 volts serial-to-USB adapter to the holes directly or solder in a pin header.

    Name:  IMG_7011.JPG
Views: 0
Size:  160.8 KB

    4. The TxD/RxD pins are not functional (yet). On the back side of the PCB locate R105 near J3. Although labeled R for resistor, there is actually none. Kind of a "hardware password" I guess. Short-circuit both solder joints of R105 (first picture below). This will enable the TxD (transmitting) line of the serial console. Use a SMD soldering tip to short-circuit the solder joins if you have one (I could even get one from Weller for my 35-year old Weller soldering station for a few bucks). Or, if you are in a hurry, use a short strip of an electric tape such as from 3M, which is conductive on both sides (second picture).

    Name:  IMG_7017.JPG
Views: 0
Size:  136.1 KB Name:  IMG_7015.JPG
Views: 0
Size:  96.4 KB

    5. Locate R101 on the front side of the PCB (red circle on picture below). Same game, short-circuit the solder joints. This will enable the RxD (receiving) line of the serial console. The orange circle shows a pin header soldered into J3.

    Name:  IMG_7018.JPG
Views: 0
Size:  177.9 KB

    6. Serial console is enabled now. Connect a serial-to-USB adapter, make sure it's 3.3 volt levels, not standard RS232C levels!

    Name:  IMG_7022.JPG
Views: 0
Size:  103.2 KB

    7. Connect to the serial adapter using your favorite terminal emulation. UNIX/Linux guys most often use cu(1), you will find it on your UNIX-based MacBook, too. Speed is 115200, 8bits, no parity. Then boot the EAP110:

    $ cu -s 115200 -l /dev/tty.usbserial-B10c724g
    U-Boot 1.1.4--LSDK-10.2-00082-4 (Dec  3 2014 - 17:30:11)
    board953x - Honey Bee 2.0DRAM:  
    Honey Bee 2.0
    ath_ddr_initial_config(195): (16bit) ddr2 init
    tap = 0x00000003
    Tap (low, high) = (0x6, 0x37)
    Tap values = (0x1e, 0x1e, 0x1e, 0x1e)
    64 MB
    Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x17
    flash size 8MB, sector count = 128
    Hello U-Boot, nice to see you.

    Abort the boot by pressing the any key (the big large one in front row of your keyboard ).

    eth1 up
    eth0, eth1
    Setting 0x181162c0 to 0x50a1a100
    Hit any key to stop autoboot:  0 <anykey>
    Print U-Boot's environment to see the command aliases for loading and flashing the firmware:

    ath> printenv
    bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 init=/sbin/init mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),2240k(rootfs),1408k(uImage),64k(mib0),64k(ART)
    bootcmd=bootelf 0x9f040000
    lu=tftp 0x80060000 ${dir}u-boot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
    lf=tftp 0x80060000 ${dir}board953x${bc}-jffs2&&erase 0x9f050000 +0x630000&&cp.b $fileaddr 0x9f050000 $filesize
    lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f680000 +$filesize&&cp.b $fileaddr 0x9f680000 $filesize
    Environment size: 689/65532 bytes
    Command lu is for TFTP loading and flashing the bootloader, command lf most certainly for loading/flashing the rootfs and command lk for loading/flashing the kernel.

    Prepare those files on an TFTP server, define its address in environment variable serverip and a free IP in same subnet for the EAP's ipaddr. To get the required firmware files, either connect to a spare EAP110 using ssh and pull them out of the mtd partitions or extract them from a firmware file. Or maybe, TP-Link could kindly provide them, too.

    Partition layout is:

    7 cmdlinepart partitions found on MTD device ath-nor0
    Creating 7 MTD partitions on "ath-nor0":
    0x000000000000-0x000000020000 : "u-boot"
    0x000000020000-0x000000030000 : "pation-table"
    0x000000030000-0x000000040000 : "product-info"
    0x000000040000-0x0000001c0000 : "kernel"
    0x0000001c0000-0x0000007c0000 : "rootfs"
    0x0000007c0000-0x0000007f0000 : "config"
    0x0000007f0000-0x000000800000 : "ART"

    Happy de-bricking!
    Last edited by R1D2; 09-13-2017 at 19:42.

  3. #3
    Hello everybody,

    This is my very 1st post here.
    I got an EAP330 (V1, EU) bricked while I was trying to install previous firmware versions, mostly because I wanted to check if other 5GHz channels were earlier available.
    When it was working, it allowed choosing only four 20MHz channels, if I recall correctly, channels 36, 40, 44 and 48. I think that selecting '80Mhz only' these would span only one channel. Also, the fcc.io data show it supports further channels.
    Well, I tried two or three firmwares, and then it got stuck on 58% flashing orange. I tried to flash other versions before it rebooted, but all of them failed at 58%. I wasn't surprised when it turned out to be bricked. Now it keeps cycling steady green for a long time, then flashes red, then flashes orange, then steady green for several seconds.
    I saw R1D2 post and thought it was worth a try this weekend. So I need help on the following questions:
    (a) Is there any (remote) chance that EAP330 doesn't have an internal serial header? (Maybe this is just a last minute question to convince me to return it instead of opening it. Dave Jones tells me to tear it apart, but I think it applies only before you turn it on...)
    (b) Is it possible to extract these files 'app.squashfs', 'rootfs.squashfs' and 'uImage' directly from tplink's EAP330 firmware?
    (c) How can I find the right offsets for the EAP330, in case they differ from EAP320?


  4. #4
    Hi everybody,I went ahead and opened the EAP330. The EAP's TX worked immediately. I had to remove a metal platform containing the antennae in order to bridge an adjacent missing smd resistor. Since I dont have the files 'app.squashfs', 'rootfs.squashfs' and 'uImage' for the EAP330, I tried the boot option for updating firmware. It connected to the ftp, downloaded the .bin file, wrote to the memory, but it didn't recover the unit. At boot it informs CRC error. There's another boot option for a full firmware update, but I didn't try this one.So, could TP-link kindly provide these recovery files for the EAP330 (EU, V1)?Regards.

  5. #5
    Hi R1D2,

    Could you please give more details on how the firmware files could be extracted from another unit or from a firmware file?

    Quote Originally Posted by R1D2 View Post
    To get the required firmware files, either connect to a spare EAP110 using ssh and pull them out of the mtd partitions or extract them from a firmware file. Or maybe, TP-Link could kindly provide them, too.

  6. #6
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Unfortunately I do not have an EAP330, so I can't check the exact positions of the images.

    But in general, you need to find the partition table of the firmware file. For example, for EAP120 the partition table of the V1_20170113 firmware starts at file offset 4116:

    fwup-ptn partition-table base 0x00800 size 0x00800      
    fwup-ptn support-list base 0x01000 size 0x00038 
    fwup-ptn product-info base 0x01038 size 0x001d4 
    fwup-ptn soft-version base 0x0120c size 0x00014 
    fwup-ptn os-image base 0x01220 size 0xde8a8     
    fwup-ptn file-system base 0xdfac8 size 0x5cb000
    To extract the kernel (os-image) add the file offset 0x01220 (= 4640) to the partition table offset (4640 + 4116 = 8756) to get the start of the kernel image. Then extract the kernel using the given size (0xde8a8 = 911528) using the dd command in Linux or MacOS:

    dd if='TL-EAP120v120_eu_2.0.3_[20170113-rel55696]_up_signed.bin' of=vmlinuz.dat skip=8756 count=911528 bs=1
    Next, extract the squashfs file system. It starts at file offset 0xdfac8 (= 916168) + 4116 = 920284 and has size 0x5cb000 (= 6074368):

    dd if='TL-EAP120v120_eu_2.0.3_[20170113-rel55696]_up_signed.bin' of=squashfs.dat skip=920284 count=6074368 bs=1

    For EAP330, do this for uImage (kernel), rootfs.squashfs and app.squashfs instead of the files shown above.

    Then find the device partition table in the firmware image, it looks like this (again for EAP120):

    partition partition-table base 0x20000 size 0x02000
    partition default-mac base 0x30000 size 0x01000
    partition support-list base 0x31000 size 0x00100
    partition product-info base 0x31100 size 0x00400
    partition soft-version base 0x32000 size 0x00100
    partition os-image base 0x40000 size 0x180000
    partition file-system base 0x1c0000 size 0x600000
    partition user-config base 0x7c0000 size 0x10000
    partition backup-config base 0x7d0000 size 0x10000
    partition log base 0x7e0000 size 0x10000
    partition radio base 0x7f0000 size 0x10000
    This gives you the positions in the flash chip relative to 0x9f000000 (on EAP120!).
    For the EAP330 use the command flinfo in Uboot to find out its flash layout.

    Hope this helps.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright 1996-2017 TP-LINK Technologies Co., Ltd. All rights reserved.