Aruba AP to IAP conversion

This is just a small snippet on how to convert a controller-based Aruba AP to a standalone IAP. This writeup is for an AP-274, but it should work similarly on most ArubaOS-based access points.

You’ll need:

  • The access point
  • Console access (a serial or micro-USB cable, depending on the AP)
  • A valid firmware file from Aruba
  • A TFTP and a DHCP server

We’re going to interrupt the boot process using the serial console and overwrite the image with the one that’s hosted on our TFTP server.

Before we touch the AP, we need to set up the TFTP server. I usually like to rename the file to something that’s simple to type in and just place it in the root folder of the TFTP server. The AP will look for the file on a computer with a hostname of aruba-master, although this can be overridden, but I’ll use it in this writeup. So, set the hostname of the computer that’s going to host the TFTP server and start the server with the file in place.

Next, we need to access the bootloader, apboot. Follow the below instructions:

  1. Connect the serial cable and open a serial console. The settings are usually 9600 baud, 8 data bits, 1 stop bit, no parity, no flow control, but this may vary based on what you’re flashing.
  2. Once the console is open, power on the AP.
  3. Interrupt the boot process by pressing ENTER when prompted, you’ll only have 2 seconds to do this
  4. If it didn’t work, leave the serial cable in place and reboot the AP

Once you see the apboot> prompt, you have to verify the DHCP settings. This is to ensure that the network is properly set up. Just use the dhcp command. help lists all the available commands, and help <command> gives you some brief instructions on how to use them.

The output of dhcp should look something like this:

eth0: link up, speed 1 Gb/s, full duplex
DHCP broadcast 1
DHCP IP address:
DHCP subnet mask:
DHCP def gateway:
DHCP DNS server:
DHCP DNS domain: local.domain

And printenv should look like this:

bootcmd=boot ap

Environment size: 280/131068 bytes

In the above, the servername parameter is the hostname where it’ll look for the TFTP server. You can change it using setenv servername <new_hostname>. Using the serverip environment variable should also work.

So far, we haven’t changed anything, but from here on we will, so here’s the usual disclaimer:

ONLY PROCEED AT YOUR OWN RISK. There is a chance that you can brick the device, for which I will not be responsible.

Now we have to erase the boot image and flash the replacement from the TFTP server. Some APs have multiple partitions, which means we have to erase both.

Using osinfo you can determine whether that’s the case or not:

Partition 0 does not contain a valid OS image

Partition 1:
    image type: 0
  machine type: 25
          size: 6659784
  build string: ArubaOS version for 22x (p4build@cyprus) (gcc version 4.5.1) #41487 SMP Sun Dec 29 18:41:34 PST 2013
         flags: preserve factory

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.

My AP does have two partitions, so to clear both, we have to run:

apboot> clear os 0
Erasing flash sector @ 0xee000000.... done
Erased 1 sectors
apboot> clear os 1
Erasing flash sector @ 0xee000000.... done
Erased 1 sectors

Once that’s done, the expected output of osinfo is:

Partition 0 does not contain a valid OS image

Partition 1 does not contain a valid OS image

Next, we have to flash the new image with the upgrade os <filename> command, where the filename is the name of the firmware file on the TFTP server. If everything is set up correctly, this will pull the file from the TFTP server and flash it to partition 0. It’ll take a few minutes to complete.

If it’s successful, you can simply type in boot and it’ll boot the newly flashed OS. Do not close the serial session yet. The first boot will take a while, as it needs to initialize a few things.

Wait until you see something like this in the serial console:

 <<<<<       Welcome to the Access Point     >>>>>

You can navigate to the IP address of the AP in a browser and once you’re at the login page, you can try logging in with the admin admin combo. It likely won’t work. You need to go back to the serial console and press enter to get a login prompt. Try to log in with the same credentials here. This should work and once you’re in, you can try again on the web interface.

Similarly, if you attempt to log in on the serial console before opening the web interface, it won’t let you in, so you need to try the website at least once before the CLI.

Then, once you’re in, you’ll be prompted for the country code, which can be changed later using the serial CLI, so it’s not permanent like with Xirrus or Cambium APs. Though even on those APs it can be changed, it’s just a little complicated.

Leave a Reply

Your email address will not be published. Required fields are marked *