Well, one ordinary day I’m about to update the firmware of my tplink like other times, but always, there is one of those times to remember. there is one of those times, that are to remember, and those that make us from thinking to change our perspective a little bit.
Of that of which we know, (That we know nothing), this was my first contact with tin and soldering iron, basic inspiration for the the very large world of electronics.
Unpack Arduino uno
I did this update via wifi, big mistake, by this means there is packet loss, causing an incomplete writing of the firmware in the router’s NVRAM. of the firmware in the NVRAM of the router, in extreme cases like this would prevent us from accessing the router, because it will enter an infinite reboot loop. that it will enter an infinite restart loop, here the bootloader or (u-boot) is what constantly restarts.
Firmware upgrades should always be done with a battery backup, UPS etc.
The first inspiration was from here recovering-a-tp-link-wr1043nd she uses arduino for the serial communication between the router and the pc, she also used linux minicom for the debug of the port, then she assigns an ip address to it thanks to the connection made, getting with this, access to the tplink web interface and the tplink web interface and load some other firmware version.
In my case the situation was much more complex than the previous one, because I didn’t have access to anything, so I had to make I had to erase the hexadecimal zones of the router’s memory completely to install a stock firmware and then some other more current version, such as some other more current version, such as OpenWRT
The information I used was from this post, a post by a German quite restless and it worked in one go.
the necessary requirements are
-
Know how to solder, the basics, also use good solder and solder paste, so that the solder comes to boiling point faster. faster.
-
Multimeter in case you can’t see the pins correctly, it is used to detect the tx, rx, gnd, and vcc.
-
Some serial/usb port converter, in this case an arduino would come in handy, the TX pin of the arduino to the RX of the router, and the RX from the arduino to the TX of the router.
-
Female pins These will allow the wires from the arduino to the router to be much more stable than the ones from the router to the router. arduino to the router are much more stable.
-
Tftp32 to load the firmware and set an ip address to which we will connect from the serial port, insecure protocol in case it is difficult it could be done with the Kermit client. with the Kermit client.
-
Putty to debug the serial port, and connect to the tftp server that will contain the firmware, minicom or some other utility.
-
Cat5e ethernet cable to connect the router to the network card, necessary to use it with the tfpt32 and load the firmware.
Disassembling the router
When disassembling the router we look for the serial port as shown in the image:
After soldering the arduino:
After soldering it would look more or less like this:
When connecting to the serial port we have:
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Scorpion ----> S17 PHY *
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7114
eth0: ba:be:fa:ce:08:41
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
eth1 up
eth0, eth1
Setting 0x18116290 to 0x58b1a14f
is_auto_upload_firmware=0
Autobooting in 1 seconds
At this point we have one second to type the magic word and hit enter:
tpl this ends the infinite loop, German recommends, quickly enter tpl and give enter at one of those times with any luck the loop will end. |
View with Tftp32
With this app we will be able to change the ip of the network card, these screenshots were taken at that moment.
The ip address to use is 192.168.0.5:69
where our server will be listening, we will set it to our network card,
without gateway, nor subnet mask, from putty can be configurable another ip with the command
setenv ipaddr ipaddress
We look for our tplink firmware and rename it to firmware.bin or some other easy name.
Commands to start the process
For version v1.x of tplink 1043nd enter one at a time
when the console displays ar7100> is where the command will be entered example
|
We start like this:
ar7100> erase 0xbf020000 +7c0000 (1)
ar7100> tftpboot 0x81000000 firmware.bin (2)
#7c0000: size of the firmware (be aware that you may have a different size thus bricking your router)
ar7100> cp.b 0x81000000 0xbf020000 0x7c0000 (3)
ar7100> bootm 0xbf020000 (4)
1 | Delete the memory address in the NVRAM that is corrupt → 0xbf020000 |
2 | Download the firmware.bin to a memory area named → 0x81000000
, the following line #7c0000: is a comment. |
3 | Copy the firmware from the address → 0x81000000 to → 0xbf020000
the hexadecimal amount of 0x7c0000 equals 8126464 bytes, which is the weight of the firmware. |
4 | Bootear from zone → 0xbf020000 |
As an example of Decimal to Hex in java
@Test
void decimalToHexString() {
final String size = Integer.toHexString(8126464);
final String actualSize = "7c0000";
assertThat(actualSize).isEqualsTo(size);
}
Example of a corrupted Nvram
old NVRAM
=> md 0x487b0000
487b0000: 19850003 0000000c f060dc98 1985c002 .........`......
487b0010: 0000027b 20bf6d81 00000026 0000b1a7 ...{ .m....&....
487b0020: 000081a4 00000000 00002e13 53c73a96 ............S.:.
487b0030: 53c73a96 53c73a96 000000a4 00000237 S.:.S.:........7
487b0040: 00000f5c 06000000 afa713d7 3f90abaa ...\........?...
487b0050: 785eec96 cb6ed340 1486ddc6 a5082594 x^...n.@......%.
487b0060: fbad018d 104b1cd9 4e4594a9 b240b940 .....K..NE...@.@
487b0070: 51dd806d 45100909 d73eb606 25e3c897 Q..mE....>..%...
487b0080: 0ab1aa54 f50d10ef c08e151b f674cb2b ...T.........t.+
487b0090: 707b80be 41c77626 18214117 2c421acb p{..A.v&.!A.,B..
487b00a0: d6371edb d2f8d36f 9fa3ac37 35a9d7d6 .7.....o...75...
487b00b0: 1bd58abc 2e4cd3b6 621cd443 a1508a39 .....L..b..C.P.9
487b00c0: d9e216d8 b1b4f4fc d1aeb6a1 75517b07 ............uQ{.
487b00d0: 68849221 4646e407 e0a4270d 198dfc30 h..!FF....'....0
487b00e0: 42b6eb21 970c209b 9494e44d b5fbcd86 B..!.. ....M....
487b00f0: 2c6355c5 550bd71c acd6f0b6 cb2e9806 ,cU.U...........
after replacing NVRAM
=> md 0x487b0000
487b0000: 19852003 0000000c f060dc98 ffffffff .. ......`......
487b0010: ffffffff ffffffff ffffffff ffffffff ................
487b0020: ffffffff ffffffff ffffffff ffffffff ................
487b0030: ffffffff ffffffff ffffffff ffffffff ................
487b0040: ffffffff ffffffff ffffffff ffffffff ................
487b0050: ffffffff ffffffff ffffffff ffffffff ................
487b0060: ffffffff ffffffff ffffffff ffffffff ................
487b0070: ffffffff ffffffff ffffffff ffffffff ................
487b0080: ffffffff ffffffff ffffffff ffffffff ................
487b0090: ffffffff ffffffff ffffffff ffffffff ................
487b00a0: ffffffff ffffffff ffffffff ffffffff ................
487b00b0: ffffffff ffffffff ffffffff ffffffff ................
487b00c0: ffffffff ffffffff ffffffff ffffffff ................
487b00d0: ffffffff ffffffff ffffffff ffffffff ................
487b00e0: ffffffff ffffffff ffffffff ffffffff ................
487b00f0: ffffffff ffffffff ffffffff ffffffff ................
=>
Log of the whole process
Isn’t of my authorship but in a real environment, version v1.x.
Where the comandos shown above are displayed again.
U-Boot 1.1.4 (Nov 17 2009 - 11:56:26)
AP83 (ar9100) U-boot 0.0.11
DRAM:
sri
32 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash: 8 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ag7100_enet_initialize...
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
Autobooting in 1 seconds
ar7100> erase 0xbf020000 +7c0000 (1)
First 0x2 last 0x7d sector size 0x10000
125
Erased 124 sectors
ar7100>
ar7100> tftpboot 0x81000000 code.bin (2)
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.0.5; our IP address is 192.168.0.2
Filename 'code.bin'.
Load address: 0x81000000
Loading: T T T checksum bad
T #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
############################
done
Bytes transferred = 8126464 (7c0000 hex)
ar7100>
ar7100> cp.b 0x81000000 0xbf020000 0x7c0000 (3)
Copy to Flash... write addr: bf020000
done
ar7100> bootm 0xbf020000 (4)
## Booting image at bf020000 ...
Uncompressing Kernel Image ... OK
Starting kernel ...
Linux version 2.6.32.10 (openwrt@wrt1.marcant.net) (gcc version 4.3.3 (GCC)
) #20 Tue Apr 6 15:01:26 CEST 2010
bootconsole [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
Atheros AR9132 rev 2, CPU:400.000 MHz, AHB:200.000 MHz, DDR:400.000 MHz
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
Normal 0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128
Kernel command line: rootfstype=squashfs,yaffs,jffs2 noinitrd
console=ttyS0,115200 board=TL-WR1043ND
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 29332k/32768k available (2101k kernel code, 3436k reserved, 397k
data, 152k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Hierarchical RCU implementation.
NR_IRQS:56
Calibrating delay loop... 266.24 BogoMIPS (lpj=1331200)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
MIPS: machine is TP-LINK TL-WR1043ND
bio: create slab <bio-0> at 0
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY) ■■ 2001-2006 Red Hat, Inc.
yaffs Mar 28 2010 17:53:41 Installing.
msgmni has been set to 57
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
Atheros AR71xx SPI Controller driver version 0.2.4
m25p80 spi0.0: s25sl064a (8192 Kbytes)
Searching for RedBoot partition table in spi0.0 at offset 0x7f0000
No RedBoot partition table detected in spi0.0
spi0.0: no WRT160NL signature found
Creating 5 MTD partitions on "spi0.0":
0x000000000000-0x000000020000 : "u-boot"
0x000000020000-0x000000160000 : "kernel"
0x000000160000-0x0000007f0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=550000
0x0000002a0000-0x0000007f0000 : "rootfs_data"
0x0000007f0000-0x000000800000 : "art"
0x000000020000-0x0000007f0000 : "firmware"
Realtek RTL8366RB ethernet switch driver version 0.2.0
rtl8366rb rtl8366rb: using GPIO pins 18 (SDA) and 19 (SCK)
rtl8366rb rtl8366rb: RTL5937 ver. 3 chip found
rtl8366-rtl: probed
eth0: Atheros AG71xx at 0xb9000000, irq 4
Atheros AR71xx hardware watchdog driver version 0.1.0
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 152k freed
Please be patient, while OpenWrt loads ...
gpio-buttons driver version 0.1.2
input: gpio-buttons as /devices/platform/gpio-buttons/input/input0
Button Hotplug driver version 0.3.1
eth0: link up (1000Mbps/Full duplex)
- preinit -
Registered led device: tl-wr1043nd:green:usb
Registered led device: tl-wr1043nd:green:system
Registered led device: tl-wr1043nd:green:qss
Registered led device: tl-wr1043nd:green:wlan
Press the [f] key and hit [enter] to enter failsafe mode
- regular preinit -
jffs2 not ready yet; using ramdisk
mini_fo: using base directory: /
mini_fo: using storage directory: /tmp/root
- init -
eth0: link down
Please press Enter to activate this console. eth0: link up (1000Mbps/Full
duplex)
device eth0.1 entered promiscuous mode
device eth0 entered promiscuous mode
br-lan: port 1(eth0.1) entering forwarding state
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (460 buckets, 1840 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
jffs2_build_filesystem(): unlocking the mtd device... done.
jffs2_build_filesystem(): erasing all blocks after the end marker... done.
mini_fo: using base directory: /
mini_fo: using storage directory: /overlay
1 | comandos |
We change the ip address of the network card to another one as follows
-
192.168.1.5
Default configuration of the firmware, so using 192.168.1.1
is the gateway 🔥