Convert AP-315 to instant AP mode

Based on

• https://forums.serverbuilds.net/t/aruba-ap-to-iap-conversion/8888
• https://localsharespace.com/convert-aruba-ap-315-to-iap/7/
• https://karubits.com/posts/Converting_Aruba_AP_to_IAP/

Connect serial TTL cable, power on and wait for the Hit <Enter> to stop autoboot: prompt

APBoot 1.5.5.7 (build 56398)
Built: 2016-09-08 at 14:21:29

Model: AP-31x
DRAM:  491 MB
SF:    Detected MX25U3235F with page size 64 kB, total 4 MB
Flash: 4 MB
NAND:  132 MiB
PCIE0: link up
PCIE1: link up
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0046 00002   00 00000004 00000000 00000000 00000000
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0040 00002   00 00000004 00000000 00000000 00000000
Power: 802.3af POE
In:    serial
Out:   serial
Err:   serial
Net:   eth0
Radio: qca9983#0, qca9990#1
Reset: cold
FIPS:  passed

Hit <Enter> to stop autoboot:  0
apboot> 

Lets disable the watchdog so we can work without automatic reboots - not working as expected

apboot> nodog
Watchdog disabled
apboot>

Collect some system info for easy copy paste

apboot> mfginfo
Inventory:
Card 0: System
        Wired MAC           : 00:4e:35:xx:xx:xx
        Wired MAC Count     : 2
        Serial              : CNGWXXXXXX
        Date Code           : 120118
Card 1: CPU
        Assembly            : 2010252C
        Major Rev           : 06
        Minor Rev/Variant   : 00
        Date Code           : 120118
Card 2: Antenna
        Minor Rev/Variant   : 01
apboot> printenv
bootdelay=2
baudrate=9600
autoload=n
boardname=Glenfarclas
servername=aruba-master
bootcmd=boot ap
autostart=yes
bootfile=ipq806x.ari
mtdids=nand0=nand0
ethaddr=00:4e:35:xx:xx:xx
NEW_SBL2=1
stdin=serial
stdout=serial
stderr=serial
machid=1260
mtdparts=mtdparts=nand0:0x2000000@0x0(aos0),0x2000000@0x2000000(aos1),0x4000000@0x4000000(ubifs)
partition=nand0,0
mtddevnum=0
mtddevname=aos0
ethact=eth0
apboot> osinfo
Partition 0 does not contain a valid OS image

Partition 1:
    image type: 0
......
Image is signed; verifying checksum... passed
SHA2 Signature available
Signer Cert OK
Policy Cert OK
RSA signature verified using SHA2.
apboot>

Generate ccode sha1, if US replace RW below with US

# sha1 from RW-<serial>
proginv system ccode CCODE-RW-<sha1>
# Make flash memory writable
invent -w

# Run DHCP, if you need manual IP setup that can be done as well 
dhcp

apboot> help upgrade
upgrade boot <file>
   - upgrade the APBoot image from <file>
upgrade os [<n>] <file>
   - upgrade OS in partition <n> from <file>
upgrade prov <file>
   - upgrade provisioning image from <file> (AKA, "upgrade os 1 <file>")

  <file> can be <TFTP-server-IP>:<path>

# Since there is no OS in partition 0, we only upgrade partition 1
# Note TFTP can be part of upgrade <filename>, avoid need for setenv serverip 192.168.1.101
upgrade os 1 192.168.1.101:ArubaInstant_Hercules_8.11.1.0_86591

# reboot into new firmware
reset

note that we do not want to use saveenv unncessarily.

instead of upgrade os, consider using setenv serverip 192.168.1.101; tftpboot ArubaInstant_Hercules_8.11.1.0_86591 once OS is up, use upgrade.

Search internet for filename to grab the firmware, Recommendation is to convert to the older firmware, and upgrade after AP is up and running in IAP mode

What other options do we have from apboot? It is a modified version of U-Boot which is GPL, but modified. We still can get this:

Hit <Enter> to stop autoboot:  0
apboot> nodog
Watchdog disabled
apboot> diag
apboot> help
?              - alias for 'help'
autoreboot     - toggles rebooting due to idle timeout
base           - print or set address offset
boot           - boot the OS image
checkcal       - verify the calibration data
change         - active partition
clear          - clear the OS image or other information
cmp            - memory compare
cp             - memory copy
crc32          - checksum calculation
dhcp           - invoke DHCP client to obtain IP/boot params
diag           - display/hide diag commands in help
endog          - enable watchdog
erase          - FLASH memory
factory_reset  - reset to factory defaults
print          - FLASH memory information
gpio           - poke GPIO pin
gpio_pins      - show GPIO pin status
help           - print online help
icrc32         - checksum calculation
iloop          - infinite loop on address range
imd            - i2c memory display
print          - header information for application image
imm            - i2c memory modify (auto-incrementing)
imw            - memory write (fill)
inm            - memory modify (constant address)
invent         - display/write Manufacturing inventory contents
Switch         - between SBL and Linux kernel page layout.
iprobe         - probe to discover valid I2C chip addresses
itest          - return true/false on integer compare
loop           - infinite loop on address range
md             - memory display
mfginfo        - show manufacturing info
mii            - MII utility commands
mm             - memory modify (auto-incrementing)
mt             - Run the memory test suite.
define         - flash/nand partitions
mtest          - simple RAM test
mw             - memory write (fill)
NAND           - sub-system
netget         - load image via network using TFTP protocol
nm             - memory modify (constant address)
nodog          - disable watchdog
osinfo         - show the OS image version(s)
pci            - list and access PCI Configuration Space
ping           - send ICMP ECHO_REQUEST to network host
printenv       - print environment variables
proginv        - program a given entry in the inventory
enable         - or disable FLASH write protection
purgeenv       - restore default environment variables
read_cmp       - read and compare memory to val
readpci        - read 32 bit word from 32 bit address with swapping
reset          - Perform RESET of the CPU
saveenv        - save environment variables to persistent storage
setenv         - set environment variables
sf             - SPI flash sub-system
print          - SMEM FLASH information
tftpboot       - boot image via network using TFTP protocol
ubi            - commands
upgrade        - upgrade the APBoot or OS image
version        - display version
wdog           - stop petting the watchdog
writepci       - write 32 bit word to 32 bit address with swapping
apboot>
apboot> ubi info
UBI: MTD device name:            "mtd=1"
UBI: MTD device size:            32 MiB
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: number of good PEBs:        255
UBI: number of bad PEBs:         1
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     1
UBI: available PEBs:             4
UBI: total number of reserved PEBs: 251
UBI: number of PEBs reserved for bad PEB handling: 2
UBI: max/mean erase counter: 8/1
apboot>
apboot> mtdparts

device nand0 <nand0>, # parts = 3
 #: name                size            offset          mask_flags
 0: aos0                0x02000000      0x00000000      0
 1: aos1                0x02000000      0x02000000      0
 2: ubifs               0x04000000      0x04000000      0

active partition: nand0,0 - (aos0) 0x02000000 @ 0x00000000

defaults:
mtdids  : nand0=nand0
mtdparts: none
apboot>

apboot> ubi part ubifs
apboot> ubi info
UBI: MTD device name:            "mtd=2"
UBI: MTD device size:            64 MiB
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: number of good PEBs:        512
UBI: number of bad PEBs:         0
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     1
UBI: available PEBs:             4
UBI: total number of reserved PEBs: 508
UBI: number of PEBs reserved for bad PEB handling: 5
UBI: max/mean erase counter: 41/39
apboot> ubi info layout
UBI: volume information dump:
UBI: vol_id          0
UBI: reserved_pebs   499
UBI: alignment       1
UBI: data_pad        0
UBI: vol_type        3
UBI: name_len        5
UBI: usable_leb_size 126976
UBI: used_ebs        499
UBI: used_bytes      63361024
UBI: last_eb_bytes   126976
UBI: corrupted       0
UBI: upd_marker      0
UBI: name            ubifs

UBI: volume information dump:
UBI: vol_id          2147479551
UBI: reserved_pebs   2
UBI: alignment       1
UBI: data_pad        0
UBI: vol_type        3
UBI: name_len        13
UBI: usable_leb_size 126976
UBI: used_ebs        2
UBI: used_bytes      253952
UBI: last_eb_bytes   2
UBI: corrupted       0
UBI: upd_marker      0
UBI: name            layout volume

Goal from here is to backup config and firmware from AP that we have lost access to (previous admins "forgot" to document credentials before they left)

• https://openwrt.org/toh/aruba/ap-303h-nand
• https://wizardfi.com/wifi/2019/09/30/boot-aruba-ap-from-tftp.html
• https://firmware-selector.openwrt.org/?target=ipq806x%2Fgeneric&id=askey_rt4230w-rev6

Images on this AP has a special format, sources for this U-boot code is available, so it probably isn't impossible to create such images, and would be great for the community to have. But for now looking for dumps

ubi part aos0
ubi info
ubi read 0x44000000 aos0
md.b 0x44000000 31236096

ubi part aos1
ubi info
ubi read 0x44000000 aos1
md.b 0x44000000 31109120


ubi part ubifs
ubi info
ubi read 0x44000000 ubifs
# No size specified -> Using max size (63361024)
md.b 0x44000000 63361024

This will be horribly slow at 9600 baud For ubifs maybe there could be some kind of dump only reading the relevant used blocks/bytes, and not the full partition. But we need more info about how this partition is used to be able to do that.