3CX DLL-Sideloading attack: What you need to know

Open box APX 120: solid red LED as soon as plugged in, no blinking orange/green LED. Restart does nothing.

I purchased an APX 120 used. The access point presents a solid red LED as soon as it's plugged in. Doing a quick, or even a full reset by holding the button down in the back does not reboot the device. It stays a solid red color.

I suspect it may be bricked, but the manual says the solid red color could indicate the APX cannot find the wireless controller, or if the reset button is pressed... it is initiating a configuration reset. I allowed the device to sit for several minutes.

In the UTM 9.7, It showed no wireless protection log or a pending access point.

I am using the power adapter of my AP15 to power the APX120 which appears to be the same 12V 1 amp power supply, as the access point lists on the back as the requirement.

Does the unit have issues with a power supply and should I use a POE injector instead? The manual says the APX can be powered with an APX120 power supply which is also 12V, 1 amp, 12 watts.

The Sophos flash tool does not even support this access point, so short of using one of those USB/Eth cables, could there be something I'm overlooking or doing wrong? 

The power adapter I am using powers the AP 15 with no issue, so either the APX needs different power or a POE injector. Here is the AP 15 power supply.

[edited by: alan weir at 11:32 PM (GMT -8) on 25 Jan 2023]
  • I have the relevant log filters open:

    system messages


    wireless protection

    Still I am getting no logs or activity on the UTM. The LED is solid red at all times, even during a full reboot.

  • Unfortunately bricked APX 120 are very common. There has been a software issue (in the UTM) which bricks them upon updating.
    If you don't see any DHCP requests (and bought it on eBay very cheap Wink without warranty) this is very likely.

    Using the Sophos flashing tool (it requires an network connection to the boot loader) or alternate power will not help.

    If you have an strong electronics background and are used to the mentioned tools, here is a very good tutorial for unbricking them.
    I managed to rescue several APX 120 bought via eBay for 1€ by following it.
    Thanks to btw, for posting the relevant memory addresses - he got them from an working APX.

    In case you don't dare or don't have the right tools your best bet is that they are still on warranty and will be replaced by Sophos.

  • If it hasn't bricked, I would try a PoE injector or PoE switch method instead.  I've only known to use that route for these APs. 

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Hi,

    if you are not shure what the APX120 does on Ethernet, use a Laptop and Wireshark and capture the traffic on the Ethernet Port.
    Next step would be an USB/RS232 Adapter (the pink one is fine PL2303HXD) and use putty to view the uBoot ... 

    The same happens with some APX320  (they do not work with new AP 11.0.020 FW anymore).
    Maybe i will try some old images for this model (they use the same uimages in APX120 and APX320)

    Last year, these APX were not available in Germany. So debricking was the only way to go.
    Thanks to some NAND Glitch, you can break uboot... Grin

  • Bricked... that's what I thought since the RED LED came on solid as soon as I first plugged it. I mean as *soon* as power from the adapter hit it, so I doubt the UTM even had a chance to see it in order to flash a bad firmware image.

    The seller's policy is "RMA required" for all non-functioning products, so I hope I will not get the runnaround if the AP is still under warranty.

    Does Sophos's warranty on access points carry over when the item is sold to a different person? I sure do not want to open the product and void any warranty. I know my way around SSH/linux commands but I want to see what' they'll do for the return.

  • The same happens with some APX320  (they do not work with new AP 11.0.020 FW anymore).
    Maybe i will try some old images for this model (they use the same uimages in APX120 and APX320)

    That is absurd. Why are they releasing firmware that is not compatible with their own products that say they are compatible with the latest version of the UTM/XG? What company does this?

  • Weary

    now i bricked my APX320 ..

    I had it running with OpenWrt after enabling the bootdelay and loading an older APX.uimage...

    Press the [f] key and hit [enter] to enter failsafe mode
    Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
    Please press Enter to activate this console.
    BusyBox v1.23.2 (2018-11-27 07:01:45 UTC) built-in shell (ash)
    root@OpenWrt:/# ls
    bin     download lib        proc    sbin    usr
    config  etc      mnt        rom     sys     var
    dev     init     overlay    root    tmp     www

    I modified the bootdelay and stopped uboot, loaded a different Kernel image, started config@1 and downloaded a correct APX.uimage for upgrading to 11.0.020 out of the of OpenWrt ecosystem ...

    currently i get this error message

    libubi: error!: "/dev/null" has major:minor 1:3, but this does not correspond to any existing UBI device or volume
    ubiupdatevol: error!: "/dev/null" is not an UBI volume node

    but i it got bricked ..

    Now i don´t have any kernel image inside the NAND and the bootdelay is back to 0 ...

    Why does a APX320 has two Reset buttons (one pinhole and one SMD under the heatsink - both do a reset).

    Now i have to Glitch the NAND again ... Grin

  • I think only the original customer gets a warranty.
    But for these APX320 i could keep the broken device. 

  • You had Openwrt running on an APX?? What was it like? did you have the full gui?

  • Hi,

    this is an old Sophos Image booted in OpenWrt through tftp 

    After i erased the NAND i failed to get the Image back… and it was bricked..

    Hit any key to stop autoboot:  0
    Volume image not found!
    Wrong Image Format for bootm command
    ERROR: can't get kernel image!

    Ok, back again ..

    I changed the autoboot to 5 sec and i can enter uboot again...

    BI: number of PEBs reserved for bad PEB handling: 40
    UBI: max/mean erase counter: 1/1
    SF: Detected GD25Q32 with page size 4 KiB, total 4 MiB
    Hit any key to stop autoboot:  5
    rnaq-sph1 #