This page is currently under construction. You can edit the article to help completing it.
The Linksys EA8300 is a MU-MIMO Tri-Band WiFi router, which has one 2.4GHz and two 5GHz WiFi Interfaces, making it an interesting choice for wireless backhaul or repeater applications. The radios support MCS 0-9 (up through 256 QAM) for devices and paths that are compatible with those high-density modulations.
Note: The first 5 GHz radio (IPQ4019) is limited to ch. 64 and below. The second 5 GHz radio (QCA9888), is limited to ch. 100 and above. This is consistent with OEM firmware and is a result of the ART data and the data in the OEM firmware's cal data. This is perhaps due to RF design optimization and/or interoperation with 2.4 GHz, such as the two, shared antennas.
It has four 1G LAN ports, one 1G WAN port, a USB 3.0 interface and four external antennas.
The device is equipped with a Bluetooth chip. It is powered by an external 12V, 2A power adapter and supports DFS and 256QAM.
Note that the boot loader, by default, erases for flashing an 88 MiB (0x05800000) image size.
Opening the case
Small, flat bladed screwdriver, 3-5 mm, for prying off the feet
Torx TR10 (security) driver or key
Stiff, plastic spatula for prying apart the case top from bottom (slightly smaller than thickness of groove is good)
To open the case, carefully remove the four round rubbers on the back side of EA8300. They are mounted with sticky adhesive. With the label readable, the two upper feet have their screw holes at the 6 o'clock position. The two lower feet have the holes at the 9 o'clock on the left, the 3 o'clock on the right, though not as close to the edge as the upper holes. Knowing the location of these holes may ease the removal of the feet.
Yes, really, use a key made for the security Torx screws. Bondhus makes good sets of keys (such as the 32432, TR6-TR25) that sell for ~US$15. Wiha likely has something similar for European users. Carefully remove the four Torx TR10 (security) screws, revealed by the removal of the feet.
Now, you need to rotate the EA8300 again, to the upper side. It is good to have a little and stable plastic spatula, to open the head cover. Take the spatula and put it carefully between the slot, holding EA8300's body and head cover together. Move the spatula against the head cover, so that you can leverage the body from it. and turn the spatula all around the EA8300's slot (360 degree), while leveraging as described before. Be careful, the clips are thin plastic and can be broken. Now, you should can remove the head cover very easily, without significant force.
The PCB can be carefully rotated up from the front for additional access. If you would like to fully remove the PCB, just remove the antenna plugs on the frontside of the PCB. (Note that u.FL-style plugs have a limited number of cycles, and are very fragile.) Lift up the PCB a little bit, on the antenna-plug-side. Now, pull it carefully to get it removed and beware of the WPS switch on the right side of the case.
→ port.serial general information about the serial port, serial port cable, etc.
Serial connection was made to J3 on the right edge of the PCB, viewed from above and the front of the router.
3.3 V levels seen. Pin 1 is closest to the rear of the device
How to connect to the Serial Port of this specific device: After opening the EA8300, you will find the serial port on the right side, in front of the router, marked as J1 on the PCB.
Insert photo of PCB with markings for serial port
WARNING! This has not been tested, yet and might be wrong.
Serial connection parameters
for Linksys EA8300 V1
(IPQ40xx) # tftp
eth0 PHY0 up Speed :1000 Full duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 Down Speed :10 Half duplex
*** Warning: no boot file name; using 'C0A80101.img'
Using eth0 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.1
Load address: 0x84000000
During the boot process, dallas login: wan, sysevent received: wan-start=NULL appears over serial, “hiding” the option to log in. Later, [return] may give Linksys13546 login: The password on the device is unchanged from default and root/admin provided a root shell on the device.
There is an extensive set of binaries available.
nandwrite is available, however nanddump is not.
/proc/device-tree is present.
/www/sysinfo.cgi can be executed from the command line, or at http://192.168.1.1/sysinfo.cgi (admin/admin), yielding extensive information about the device
An ext4-formatted USB drive was mounted automatically on insertion (several mount points under /tmp/) and can be used to transfer files from the device. It is possible that the device's in-built file-sharing capabilities could also be used.
Note that a 10 GB virtual drive is not sufficient the way that Ubuntu partitions it during install (2 GB RAM chosen in VirtualBox, 4 GB swap partition created). A 16 GB VDI seems to be sufficient.
Starting to work here, though at this time unable to build a kernel
sudo apt-get install flex bison patch autoconf libncurses5-dev
sudo apt-get install gettext # resolve "FATAL ERROR: msgfmt does not seem to be installed."
sudo apt-get install tcl # resolve "/bin/sh: 1: tclsh: not found"
sudo apt-get install gawk # resolve "configure: error: GNU awk is required for lib/memtype.h made by memtypes.awk."
tar jxvf publication/src/arm-cortex-a7-qca-gcc483-linaro/toolchain-arm_cortex-a7_gcc-4.8-linaro.tar.bz2 -C /opt
export PATH STAGING_DIR
rm -rf /opt/qsdk/*
sudo mkdir /opt/qsdk
sudo chown jeff:jeff /opt/qsdk
Note that make clean after a build, followed by make may result in Too many levels of symbolic links rm -rf /opt/qsdk/* is one way to resolve. (This suggests the extraction of the toolchain with tar may not be needed, not tested.)
by executing make in extracted/iproute2-3.11.0/ a host version will be built (that will not run on the target), but allows the build to continue.
Building Kernel / DTB
The kernel can be built by entering publication/src/linux/ and executing make .configured to download, patch, and configure the sources. Once done, with the proper PATH from make env executed from publication/src/linux/, kernel artifacts can be generated with, for example:
publication/src/linux/extracted/linux-3.14.77$ make ARCH=arm CROSS_COMPILE="arm-openwrt-linux-uclibcgnueabi-" zImage
publication/src/linux/extracted/linux-3.14.77$ make ARCH=arm CROSS_COMPILE="arm-openwrt-linux-uclibcgnueabi-" dtbs
The ART partition is mtd5 and is labeled 0:ART. Partition size is 512 kB (0x80000)
If 0x2f20 (12064) is the “magic” for the start of an ART segment, it is found at offsets of (with OEM DTS references)
./scripts/linksys-image.sh provides insight into how Linksys “signs” firmware, at least for the “Civic” EA6350 v3
# Write Linksys signature for factory image
# This is appended to the factory image and is tested by the Linksys Upgrader - as observed in civic.
# The footer is 256 bytes. The format is:
# .LINKSYS. This is detected by the Linksys upgrader before continuing with upgrade. (9 bytes)
# <VERSION> The version number of upgrade. Not checked so use arbitary value (8 bytes)
# <TYPE> Model of target device, padded (0x20) to (15 bytes)
# <CRC> CRC checksum of the image to flash (8 byte)
# <padding> Padding (0x20) (7 bytes)
# <signature> Signature of signer. Not checked so use Arbitary value (16 bytes)
# <padding> Padding (0x00) (192 bytes)
# 0x0A (1 byte)