TP-Link EAP245 v1

Under Construction!
This page is currently under construction. You can edit the article to help completing it.

Please feel free to contribute and improve the guide.

Device specifications

TP-Link EAP245 v1 is an AC1750 (802.11ac Wave-1) ceiling mount access point.

  • SoC: QCA9563 @ 775MHz
  • RAM: 128MiB DDR2
  • Flash: 16MiB SPI-NOR
  • Wireless 2.4GHz (SoC): b/g/n, 3×3
  • Wireless 5Ghz (QCA9880): a/n/ac, 3×3
  • Ethernet (AR8033): 1× 1GbE, 802.3at PoE

Supported Versions

Hardware Highlights

Flashing instructions

The initial source of this page is the relevant https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=b11ad48764404d6eefc01b5acf9e54c9f6f00973.
Please note fnt__1, as modern Linux distros try to avoid you from connecting to legacy ssh servers with outdated authentication methods, which is what dropbear-ssh from the device offers.

Recipe

  1. Upgrade the device to stock firmware v1.4.0 if necessary (as of 2025 v.1.4.0 is the latest firmware released by the vendor)
  2. Exploit the user management page in the web interface to start telnet server telnetd by changing the username to: ;/usr/sbin/telnetd -l/bin/sh&
  3. Immediately change the malformed username back to admin to make ssh work again.
  4. From your workstation client, use the root shell via telnet (telnet <device-ip>) to make /tmp writeable to any user:
    chmod 777 /tmp -R
  5. Extract /usr/bin/uclited from the device via ssh and apply the binary patch listed below. The patch is required to prevent uclited -u in the last step from crashing.
    ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa -oHostKeyAlgorithms=ssh-rsa -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@<device-ip> “dd if=/usr/bin/uclited” > uclited 1)
  6. make a copy of uclited to uclited-patched and apply the binary patch:
    cp uclited uclited-patched
  7. After patching, copy the patched uclited programme back to the device to /tmp/uclited using ssh:
    ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa -o HostKeyAlgorithms=ssh-rsa -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@device-ip “dd of=/tmp/uclited” < uclited-patched
  8. Upload the factory image to /tmp/upgrade.bin (via ssh):\\ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa -o HostKeyAlgorithms=ssh-rsa -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@device-ip “dd of=/tmp/upgrade.bin” < ~/Downloads/openwrt-ath79-generic-tplink_eap225-v1-squashfs-factory.bin (adjust the path to image.bin file as necessary)
  9. Now, go back to the telnet session, make the patched uclited binary executable and run it to install OpenWRT:
    chmod +x /tmp/uclited && /tmp/uclited -u
1)
This guide has been tested under GNU Linux. Modern distributions try to prevent you from connecting to an outdated and insecure ssh server as the AP device provides. You need to find a workaround to make your operating system connect to an old ssh server. On modern Fedora, you have to enable a legacy crypto policy be executing: sudo update-crypto-policies --set LEGACY. Do not forgot to switch this back to DEFAULT after you have flashed the openwrt image to the AP device.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2025/01/31 20:58
  • by heis22011