How to flash new Firmware on Cisco Access Point Aironet air-ap1121g-e-k9

How to flash new Firmware on Cisco Access Point Aironet air-ap1121g-e-k9

I've got an old Cisco AP and want to reflash the firmware to unlock the settings.

Connect via Serial and power on via 48V PoE

Serial Pinout Board => RasPi/USB :: | VCC | RX => TX | G => G | TX => RX | NV |

Setup Cisco 800 series Router for poweup and connect router to Switch with PC or PC directly to switch, depends on your home network and Patchcable redundance ;)

Using screen to connect with raspberry Pi

# enable in /boot/config.txt UART TTL
[ALL]
enable_uart=1

# reboot

# Connect 8N1
screen /dev/ttyACMA0 9600,-parenb,-cstopb,cs8
Ez connection with Rpi 1 and tinycore os as serial UART connector

Setup IP's copy new firmware via TFTPd

On PC: Setup IP 10.0.0.3/8 connect to Switch and shutdown Firewall / AV etc
Hold Mode Button 30 Seconds while powering on the AP. Now you will see following screens below:

Serial Output log 9600 baud / 8N1 - No FlowContr
Xmodem file system is available.
flashfs[0]: 145 files, 7 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 4544512
flashfs[0]: Bytes available: 3196928
flashfs[0]: flashfs fsck took 13 seconds.
Base ethernet MAC Address: 00:0e:d7:fa:03:68
Initializing ethernet port 0...
Reset ethernet port 0...
Reset done!
ethernet link up, 100 mbs, full-duplex
Ethernet port 0 initialized: link is up
Loading "flash:/c1100-k9w7-mx.123-8.JA2/c1100-k9w7-mx.123-8.JA2"...#################################################################################################################################################################################################################################################################################################################################################################

File "flash:/c1100-k9w7-mx.123-8.JA2/c1100-k9w7-mx.123-8.JA2" uncompressed and installed, entry point: 0x3000
executing...

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JA2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 30-May-06 17:41 by pwade
Image text-base: 0x00003000, data-base: 0x0068FE60

Initializing flashfs...

flashfs[1]: 145 files, 7 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 7741440
flashfs[1]: Bytes used: 4544512
flashfs[1]: Bytes available: 3196928
flashfs[1]: flashfs fsck took 2 seconds.
flashfs[1]: Initialization complete....done Initializing flashfs.

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-AP1121G-E-K9     (PowerPCElvis) processor (revision A0) with 15038K/1336K bytes of memory.
Processor board ID FOC08020HBP
PowerPCElvis CPU at 197Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0E:D7:FA:03:68
Part Number                          : 73-7886-07
PCA Assembly Number                  : 800-21481-07
PCA Revision Number                  : A0
PCB Serial Number                    : FOC08020HBP
Top Assembly Part Number             : 800-22053-04
Top Assembly Serial Number           : FHK0806V3EC
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1121G-E-K9



Press RETURN to get started!

▒

After restarting you can now find yout device in yout network while its getting an IPAdress with dhcp

User:Password is Cisco
Webinterface look and config

Example config:

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-1100-01
!
no logging console
enable secret 5 XXX
!
clock timezone GMT 2
ip subnet-zero
ip domain name de
!
!
no aaa new-model
!
dot11 ssid CISCO-AP-1
   authentication open 
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXX
!
!
!
username Cisco password 7 XXX
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !
 ssid CISCO-AP-1
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 hold-queue 80 in
!
interface BVI1
 ip address 192.168.0.10 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
snmp-server community public RO
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
sntp server pool.ntp.org
sntp broadcast client
end
remember the replacing of the XXX with passwords

Alternative ROMMON console reset

# Hold on boot 10 seconds:
# Press fast Enter to get in ROMMON:

ap: help
           ? -- Present list of available commands
         arp -- Show arp table or arp-resolve an address
        boot -- Load and boot an executable image
         cat -- Concatenate (type) file(s)
 clear_ether -- clear ethernet port statistics
        copy -- Copy a file
      delete -- Delete file(s)
         dir -- List files in directories
dump_save_regs -- dump saved regs in OCM
       etest -- test emac driver code
  ether_init -- initialize ethernet port
  flash_init -- Initialize flash filesystem(s)
      format -- Format a filesystem
        fsck -- Check filesystem consistency
        help -- Present list of available commands
    init_pci -- initialize pci bridge
    led_test -- cycle led patterns
      memory -- Present memory heap utilization information
       mkdir -- Create dir(s)
        more -- Concatenate (display) file(s)
        read -- read at address
      rename -- Rename a file
       reset -- Reset the system
       rmdir -- Delete empty dir(s)
         set -- Set or display environment variables
    set_baud -- set baud rates
   set_sleep -- Pause (sleep) for a specified number of seconds
  show_ether -- show ethernet port statistics
    show_pci -- show pci setting
switch status -- report push button switch status
         tar -- extract or listing a tar file
    test ram -- read at address
   tftp_init -- Initialize tftp file system
        type -- Concatenate (type) file(s)
       unset -- Unset one or more environment variables
     version -- Display boot loader version
       write -- write at address