Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I have a sophos AP55 that doesn't seems to be responding. It doesn't receive an IP from the UTM appliance. When it starts up the status led is green and stays solid.
Is there a tool available to flash the firmware? I see a tool available but the AP 55 is not supported.
In reply to Emily:
I have fixed my AP55 over the serial connection (called cosole port at the AP).
Sophos doesn't provide a recovery tool to fix a broken AP55, you must send it back! That was not a solution for me, so I try to bring it back to life! I have droped my AP55 from the AP-List on the UTM, but then it doesn't come up again. It stays weak green, no blinking, nothing.
Then I have found the following post:
But the interesting thing ist the following:
For troubleshooting issues, I needed to know some more Informations about why an AP 55 was not getting discovered by my Sophos UTM. Therefore I decided to connect my Notebook to the AP's Console Port to figure out what can be done via Console Port. Because those Informations could be helpful for anybody else, here you are. Connection can be established, using 115200 Baud. There is no login Password required. Just press enter.
So, you buy a RJ-45 to serial-connector and plug the serial-connector in your PC.
I have done that with a USB-to-Serial-Converter. A cheap adpater from amazon. But with Windows 10, the device doesn’t come up. I found the following driver:
An then, tada. You are able to connect to the AP through the adapter.
I have connected me to the AP with putty, You must switch to serial connection and add the Baudrate: 115200. The right COM-Port can you see in the Windows Device Manager. In the empty window you must press enter. When you pull out the power from the AP, you can see U-Boot comes up an try to load the OpenWRT-Firmware, that SOPHOS deploys for the APs.
But in my case, the following problem occured:
U-Boot 1.1.4-gcb612594 (Dec 23 2016 - 12:50:03)
ELX version: 1.0.0
7679WSC - Scorpion 1.0DRAM:
ath_ddr_initial_config(178): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x5, 0x1b)
Tap values = (0x10, 0x10, 0x10, 0x10)
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18
Flash [MX25L12845E] sectors: 256
Flash: 16 MB
athrs_sgmii_res_cal: cal value = 0xe
Fetching MAC Address from 0x87fed9ec
ath_gmac_enet_initialize: reset mask:c02200
Scorpion ---->8035 PHY*
AR8035 PHY reg init
: cfg1 0x80000000 cfg2 0x7114
[0:4]Phy ID 4d:d072
Port 0, Neg Success
Setting 0x18116290 to 0x458ba14f
Hit any key to stop autoboot: 0
## Booting image at 9f070000 ...
Image Name: MIPS OpenWrt Linux-3.18.11
Created: 2016-12-23 12:57:39 UTC
Image Type: MIPS Linux Kernel Image (gzip compressed)
Data Size: 7132027 Bytes = 6.8 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0x9f070040 ...Bad Data CRC
Speed is 1000T
The firmware is corrupt, that is the problem.
It takes me one day to find the right solution, but I don’t want to show you the whole shit i tried. So, only the interesting things.
First we must make a little network from the PC to the Sophos AP.
On the PC or an other device you must provide a TFTP-Server and a DHCP-Server.
I use the following tools:
The problem is the AP knows rests of the network configuartion. When you download the firmware to the AP, It only takes it from the IP, that it shows up.
Back in the putty-serial-session, you must stop U-Boot to load the corrupt image.
At this step at the boot, press any key:
Then you are in the U-Boot-Bootloader, where the magic happends.
Type help to see the possible commands:
? - alias for 'help'
autoscr - run script from memory
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dhcp - invoke DHCP client to obtain IP/boot params
echo - echo args to console
erase - erase FLASH memory
ethreg - S26 PHY Reg rd/wr utility
exit - exit script
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
iminfo - print header information for application image
itest - return true/false on integer compare
loop - infinite loop on address range
md - memory display
compute MD5 message digestmii - MII utility commands
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
ping - send ICMP ECHO_REQUEST to network host
pll cpu-pll dither ddr-pll dither - Set to change CPU & DDR speed
printenv- print environment variables
progmac - Set ethernet MAC addresses
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
sendmagic - (usage) send/broadcast MAGIC PACKET to network host
- <timeout> timeout for response
- <retry> number of times magic to be sent to network host
- <devid_base_addr> baseaddr of sector containing devid
- <devid_len> offset to base addr
- <offset_to_baseaddr> offset to base addr
sendsts - send status of firmware recovery process
- <stscode> 0 - send apstate, non-zero - send specified statuscode
setenv - set environment variables
sleep - delay execution for some time
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
version - print monitor version
We want to know the IP, from where the AP expect the firmware, so type:
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.99.8; our IP address is 192.168.99.9
Load address: 0x81000000
Loading: T T T T T T T T T T T T T T
My AP wants to download it from 192.168.99.8 (the firmware must named exactly like the „Filename“ above).
Now you must setup the DHCP-Server and the TFTP-Server on your PC to the IP-Range that the AP wants and connect the AP to the NIC where you put the DHCP-Server on. Give the TFTP-Server the address that the AP wants to have (in my case 192.168.99.8).
You can download all the firmware files for the APs from your UTM. Connect via WinSCP to the UTM (you must enable shell access in the WebAdmin), connect with the loginuser.
Go to /etc/wireless/firmware and download AP55.uimage
Copy your firmware in your TFTP-Server-Root-Directory on your PC and name it like the AP it wants to have. In my case: uImage_AP100 (without filetype!)
Then type the following in the putty-serial-connection:
Bytes transferred = 7132091 (6cd3bb hex)
Now you have the Image on the AP at the address: 0x81000000
Now erase the flash memory.
You must calculate the right memory spaces in hex. We have made it for the AP55, for other APs it can be different. You can flash other APs with this procedure, but with other memory spaces and other firmwares. ;-)
I show you how we calculate from where to where we must erase the flash memory.
boot_params = 0x87F7BFB0
memstart = 0x80000000
memsize = 0x08000000
flashstart = 0x9F000000
flashsize = 0x01000000
flashoffset = 0x00029CD4
ethaddr = 00:00:AA:BB:CC:DD
ip_addr = 192.168.99.9
baudrate = 115200 bps
You can see the flashsize, this is important. When you boot the AP, and it ends up with bad-checksum error, you can see the memory address where the AP wants to find the boot-image, look here:
So you must add 0x9f070000 plus 0x01000000 with a hex-calculator. With the Windows Calc you can do that, the result is: A0070000
Type the following:
ath> era 0x9f070000 0xA0070000
First 0x7 last 0xff sector size 0x10000 255
Erased 249 sectors
So, now you are ready to flash the firmware image to flash memory, that we put with TFTP at the address:
0x6cd3bb is the size of the image. That info we get from TFTP-copy-process at the end, watch above.
0x9f070000 is the address where U-Boot want to find the image, you can see it above at the moment of the boot.
More infos for U-Boot:
ath> cp.b 0x81000000 0x9f070000 0x6cd3bb
Copy to Flash...
Copy 7132091 [0x6cd3bb] byte to Flash... write addr: 9f070000
Now you are ready to go. Type boot and have fun, now the following must be appear:
Verifying Checksum at 0x9f070040 ...OK
Uncompressing Kernel Image ... OK
Starting kernel ...
Later you can find it at Sophos UTM as a new AP and manage it.
I hope, I can help a manny people with this HOW-TO.
Sorry for my english and grammar failures. I type this fast and with a german Microsoft WORD..
Enjoy your new AP! :)
In reply to RobinDobbermann:
Thanks a lot! worked for me.
One thing i found trange.. Below the output of my tftpboot. Here you see the AP is asking for AP55.uImage i copieed it form my utm and renamed it to uImage_AP55.
Afther i loaded it on the AP you see the size was different from you example, but i guest this was because you used the AP100 image.
Bytes transferred = 7131890 (6cd2f2 hex)
So after i followd your steps, loaded the image (cp.b 0x81000000 0x9f070000 0x6cd2f2) and run boot, i get the follow error message; Bad Magic Number..
After this i tried the AP100 image, and this one worked.. the only thing now is that my UTM sees the AP as a AP100 instead of a AP55..
Thanks for you instruction, it helpt me a lot!
It work at AP100:
Has anyone connected to the AP console via a Mac? I think I need to do this for an AP55 that get's an IP but then refuses to do anything else (doesn't show as pending in UTM).
Welcome any other suggestions for diagnostics etc. too!
i have the same problem with Sophos AP 55, but when i try to access via console, using putty, after enter, i was asked for login, "OpenWrt login:"
its a new unit, i don't remember setting up any user and password, any suggestion? thanks.
In reply to JackyKornet:
i've encountered the same problem as you, with an brand new AP55. After finishing all steps of Robins how-to I got the "bad magic number" error. I've solved this issue by using Robins size at the cp.b command. After that my Access Point works great again with the AP55 firmware.
In reply to Stefan Zettl:
I also got the same problem "bad magic number" after the first try with the correct size on AP55.
So I tried it with the size from Robin as you described - no success.
Then I copied the AP100 firmware to the AP55 with the name of the expected AP55 firmware and with the shown size from current session.
It works. But I did not want a AP55 shown as AP100 in my config as described from Jacky.
So I repeated all the steps now with the correct AP55 firmware and the correct size again and now it works.
Thank you all!