This page is currently under construction. You can edit the article to help completing it.
The Linksys EA8300 is a MU-MIMO Tri-Band WiFi router, which has one 2.4GHz and two 5GHz WiFi Interfaces, making it an interesting choice for wireless backhaul or repeater applications. The radios support MCS 0-9 (up through 256 QAM) for devices and paths that are compatible with those high-density modulations.
Note: The first 5 GHz radio (IPQ4019) is limited to ch. 64 and below. The second 5 GHz radio (QCA9888), is limited to ch. 100 and above. This is consistent with OEM firmware and is a result of the ART data and the data in the OEM firmware's cal data. This is perhaps due to RF design optimization and/or interoperation with 2.4 GHz, such as the two, shared antennas.
It has four 1G LAN ports, one 1G WAN port, a USB 3.0 interface and four external antennas.
The device is equipped with a Bluetooth chip. It is powered by an external 12V, 2A power adapter and supports DFS and 256QAM.
Build or download from the OpenWrt site a factory.bin image.
If the device has already been configured, you may wish to preserve the settings in both the form that the OEM firmware provides, as well as notes on what you may wish to configure under OpenWrt. The OEM settings are not compatible with OpenWrt and cannot be transferred directly.
There are two ways to reset the Linksys EA8300 to factory defaults:
* Hardware Reset – Press and hold the Reset button on the back panel of the Linksys EA8300 for about 10 seconds.
* Software Reset – Log in to your Linksys cloud account. Under Router Settings, click Troubleshooting > Diagnostics. Click Reset under Factory reset.
Only the hardware-reset technique has been confirmed by the author.
Connect an Ethernet cable to one of the “LAN” ports. Do not connect the “Internet” port.
Connect the other end of the Ethernet cable to an interface configured on the 192.168.1.0/24 network. While DHCP may work for this, a fixed IP address may ease configuration under OpenWrt when the device reboots.
Installation Through OEM GUI
The Linksys GUI makes it challenging to navigate past their “helpful” cloud service and to find how to upload firmware. If you get totally lost and can't get there, a reset to factory defaults, as described just above, can be helpful.
These screenshots and directions for OEM v1.1.3, as shipped in early 2019.
Power up the router and wait for it to boot, The white, LINKSYS light will be on solid when the router is booted and ready.
Open a browser and navigate to http://192.168.1.1/
Do not hit “Next” but instead proceed to “Manual configuration”
On the “Internet connection is down” screen, after confirming that the “Login” button is to “log in to your router without Internet access”, click the “Login” button.
On the “Sign In” screen, enter the password, then click “Sign In”. At this time (early 2019), the default is admin
On the “Smart Wi-Fi Tools” screen, select “Connectivity”
On the “Connectivity” screen, in the “Manual” section, choose the OpenWrt factory.bin file using the file-picker window.
Once you have confirmed you have selected the proper OpenWrt factory.bin file, click “Start”
You're given one more warning
The firmware will upload, the router will reboot, and likely when the browser refreshes, will tell you that the router was not found. This may occur even if you have LuCI installed, as the URL is not one that LuCI recognizes. OpenWrt should be running at this point with default “LAN” address, 192.168.1.1/24 in early 2019.
Note: “snapshot” builds do not have LuCI pre-installed. Once you have SSH access and Internet access, it can be installed with
opkg install luci-ssl-nginx
If you believe that you may want to return to OEM firmware, do not flash twice at this time to make return to OEM simple.
The OEM firmware will remain on the “other” firmware of the two that this device keeps. This device, with OEM or with OpenWrt, “see-saws” between the two sets with every flash. As a result, if you flash from the just-installed OpenWrt, it will overwrite your previous OEM version.
Small, flat bladed screwdriver, 3-5 mm, for prying off the feet
Torx TR10 (security) driver or key
Stiff, plastic spatula for prying apart the case top from bottom (slightly smaller than thickness of groove is good)
To open the case, carefully remove the four round rubbers on the back side of EA8300. They are mounted with sticky adhesive. With the label readable, the two upper feet have their screw holes at the 6 o'clock position. The two lower feet have the holes at the 9 o'clock on the left, the 3 o'clock on the right, though not as close to the edge as the upper holes. Knowing the location of these holes may ease the removal of the feet.
Yes, really, use a key made for the security Torx screws. Bondhus makes good sets of keys (such as the 32432, TR6-TR25) that sell for ~US$15. Wiha likely has something similar for European users. Carefully remove the four Torx TR10 (security) screws, revealed by the removal of the feet.
Now, you need to rotate the EA8300 again, to the upper side. It is good to have a little and stable plastic spatula, to open the head cover. Take the spatula and put it carefully between the slot, holding EA8300's body and head cover together. Move the spatula against the head cover, so that you can leverage the body from it. and turn the spatula all around the EA8300's slot (360 degree), while leveraging as described before. Be careful, the clips are thin plastic and can be broken. Now, you should can remove the head cover very easily, without significant force.
The PCB can be carefully rotated up from the front for additional access. If you would like to fully remove the PCB, just remove the antenna plugs on the frontside of the PCB. (Note that u.FL-style plugs have a limited number of cycles, and are very fragile.) Lift up the PCB a little bit, on the antenna-plug-side. Now, pull it carefully to get it removed and beware of the WPS switch on the right side of the case.
→ port.serial general information about the serial port, serial port cable, etc.
Serial connection was made to J3 on the right edge of the PCB, viewed from above and the front of the router.
3.3 V levels seen. Pin 1 is closest to the rear (Ethernet ports) of the device
Serial connection parameters
for Linksys EA8300 V1
Boot log for “firmware version 188.8.131.52925” indicates 3.14.77
Revert to Stock
To revert to stock, the OEM firmware should be available on the device. For the purposes of this description, it is at /tmp/FW_EA8300_184.108.40.206539_prod.img
Realize that any time you are writing to flash using low-level commands, there is the chance of unrecoverable corruption. Make sure that you understand what these commands are doing and ensure that the power to the device is not interruptible.
The first step is to determine which firmware you wish to flash. The currently mounted OpenWrt firmware can usually be determined by
The U-Boot commands run flashimg and run flashimg2 will retrieve the file referenced by $image from the TFTP server and flash it to part 1 or part2, respectively.
Changing the next-boot partition is suggested, remember to saveenv if it has been changed. run bootpart1 or run bootpart2 “ignores” boot_part. reset will reboot, and then begin the boot sequence with the persisted environment.
: Determine if/how the Linksys utility works. (fyi: it does not work for EA6350v3 which is very similar to EA8300)
The EA8300 is a dual firmware device. ie. There are 2 partitions and Linksys firmware is copied to both partitions at the factory. When you install/update the Linksys firmware, or install/update OpenWrt, the new firmware is always written to the other partition. Upon restarting the EA6350v3, it will subsequently try to boot from the newly installed firmware image from other partition.
If the device fails to boot after install or upgrade, whilst the unit is turned on:
Wait 15 seconds
Switch Off and Wait 10 seconds
Repeat steps 1 to 3, 3 times then go to 5.
U-boot will switch back to the last working firmware - you should be able to access your router on LAN.
The above method can be used to toggle between the two firmwares.
Warning: If you install/update OpenWrt more than once, both partitions will be overwritten with OpenWrt firmwares, and you won't be able to revert back to Linksys OEM firmware using above method.
→ port.jtag general information about the JTAG port, JTAG cable, etc.
How to connect to the JTAG Port of this specific device: Insert photo of PCB with markings for JTAG port
U-Boot 2012.07 [Chaos Calmer 15.05.1,r35193] (Nov 02 2017 - 16:33:09)
CBT U-Boot ver: 1.2.9
smem ram ptable found: ver: 1 len: 3
DRAM: 256 MiB
machid : 0x8010006
NAND: ID = 9590daef
Vendor = ef
Device = da
ONFI device found
SF NAND unsupported id:ff:ff:ff:ffSF: Unsupported manufacturer ff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
MMC: qca_mmc: 0
PCI0 Link Intialized
Net: MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x4d
PHY ID2: 0xd0b1
Updating boot_count ... done
Hit any key to stop autoboot: 0
(IPQ40xx) # version
U-Boot 2012.07 [Chaos Calmer 15.05.1,r35193] (Nov 02 2017 - 16:33:09)
arm-openwrt-linux-uclibcgnueabi-gcc (OpenWrt/Linaro GCC 4.8-2014.04 r35193) 4.8.3
GNU ld (GNU Binutils) 2.24.0
(IPQ40xx) # tftp
eth0 PHY0 up Speed :1000 Full duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 Down Speed :10 Half duplex
*** Warning: no boot file name; using 'C0A80101.img'
Using eth0 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.1
Load address: 0x84000000
During the boot process, dallas login: wan, sysevent received: wan-start=NULL appears over serial, “hiding” the option to log in. Later, [return] may give Linksys13546 login: The password on the device is unchanged from default and root/admin provided a root shell on the device.
There is an extensive set of binaries available.
nandwrite is available, however nanddump is not.
/proc/device-tree is present.
/www/sysinfo.cgi can be executed from the command line, or at http://192.168.1.1/sysinfo.cgi (admin/admin), yielding extensive information about the device
An ext4-formatted USB drive was mounted automatically on insertion (several mount points under /tmp/) and can be used to transfer files from the device. It is possible that the device's in-built file-sharing capabilities could also be used.
Note that a 10 GB virtual drive is not sufficient the way that Ubuntu partitions it during install (2 GB RAM chosen in VirtualBox, 4 GB swap partition created). A 16 GB VDI seems to be sufficient.
Starting to work here, though at this time unable to build a kernel
sudo apt-get install flex bison patch autoconf libncurses5-dev
sudo apt-get install gettext # resolve "FATAL ERROR: msgfmt does not seem to be installed."
sudo apt-get install tcl # resolve "/bin/sh: 1: tclsh: not found"
sudo apt-get install gawk # resolve "configure: error: GNU awk is required for lib/memtype.h made by memtypes.awk."
tar jxvf publication/src/arm-cortex-a7-qca-gcc483-linaro/toolchain-arm_cortex-a7_gcc-4.8-linaro.tar.bz2 -C /opt
export PATH STAGING_DIR
rm -rf /opt/qsdk/*
sudo mkdir /opt/qsdk
sudo chown jeff:jeff /opt/qsdk
Note that make clean after a build, followed by make may result in Too many levels of symbolic links rm -rf /opt/qsdk/* is one way to resolve. (This suggests the extraction of the toolchain with tar may not be needed, not tested.)
by executing make in extracted/iproute2-3.11.0/ a host version will be built (that will not run on the target), but allows the build to continue.
Building Kernel / DTB
The kernel can be built by entering publication/src/linux/ and executing make .configured to download, patch, and configure the sources. Once done, with the proper PATH from make env executed from publication/src/linux/, kernel artifacts can be generated with, for example:
publication/src/linux/extracted/linux-3.14.77$ make ARCH=arm CROSS_COMPILE="arm-openwrt-linux-uclibcgnueabi-" zImage
publication/src/linux/extracted/linux-3.14.77$ make ARCH=arm CROSS_COMPILE="arm-openwrt-linux-uclibcgnueabi-" dtbs
The ART partition is mtd5 and is labeled 0:ART. Partition size is 512 kB (0x80000)
If 0x2f20 (12064) is the “magic” for the start of an ART segment, it is found at offsets of (with OEM DTS references)
./scripts/linksys-image.sh provides insight into how Linksys “signs” firmware, at least for the “Civic” EA6350 v3
# Write Linksys signature for factory image
# This is appended to the factory image and is tested by the Linksys Upgrader - as observed in civic.
# The footer is 256 bytes. The format is:
# .LINKSYS. This is detected by the Linksys upgrader before continuing with upgrade. (9 bytes)
# <VERSION> The version number of upgrade. Not checked so use arbitary value (8 bytes)
# <TYPE> Model of target device, padded (0x20) to (15 bytes)
# <CRC> CRC checksum of the image to flash (8 byte)
# <padding> Padding (0x20) (7 bytes)
# <signature> Signature of signer. Not checked so use Arbitary value (16 bytes)
# <padding> Padding (0x00) (192 bytes)
# 0x0A (1 byte)
toh/linksys/linksys_ea8300.txt · Last modified: 2019/10/21 16:53 by tmomas