I then searched for a router that is already supported with the same SoC, the 841N v9, 10, and 11 all fit the bill. I based my file on the 841N v9, only modifying the header at the start of the file.
TFTP server will flash something. The router has a TFTP client looking for a specific filename served by a TFTP server on 192.168.0.66. Host a TFTP server, using TFTP32/TFTP64 on 192.168.0.66 (set your computer's ip to this manually). Power up the router while holding the Reset button in for at least 10-20 seconds.
Then check the TFTP32/TFTP64 log and it should show that the router was looking for a specific filename.
Rename the file I created to that name exactly. Try powering up the router with the reset button pushed in again. It should grab the file (window pops up on TFTP32/TFTP63 screen). Then wait at least 5 min before touching the router again. It may require a manual reboot, after the 5 minutes. Did I mention wait FIVE WHOLE MINUTES. _________________ Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.
QCA Best WiFi Settings
Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one.
Atheros:
Netgear R7800 x3 - WDS AP / station, gateway, QoS
TP-Link Archer C7 v2 x2 - WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - NU
D-Link 615 C1/E3/I1 x 7 - 1 WDS station
D-Link 825 B1 - NU
D-Link 862L A1 x2 - WDS Station
Netgear WNDR3700v2 - NU
UBNT loco M2 x2 - airOS
Broadcom
Linksys EA6400 - Gateway, QoS
Asus N66U - AP
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - switch
ok thank you for the link.
I checked with wireshark, the router doesn't seem to send ARP requests for 192.168.0.66 or anything else.
(Which is bit weird, since a lot of routers of tp link have this feature)
I will quadruple check tomorrow.
I used tftpgui on linux.
What are you using yourself as tftp server ?
(I have also tested something on windows, but i'm not sure of the settings (like how to start the server) )
Posted: Mon Apr 16, 2018 22:04 Post subject: TFTP Server
I told you I use TFTP32/TFTP64 on Windows. I am 99% sure the feature is there. As for that page, most of the settings are not required.
Just install a TFTP Server and set it up to look at a simple directory (ex: C:/tftp in Windows). I then set the ethernet card to 192.168.0.66, subnet mask 255.255.255.0. In TFTP32/TFTP64, then select the approriate interface from the dropdown box. Then deal with the router stuff I mentioned above:
ian5142 wrote:
Power up the router while holding the Reset button in for at least 10-20 seconds.
Then check the TFTP32/TFTP64 log and it should show that the router was looking for a specific filename.
Rename the file I created to that name exactly. Try powering up the router with the reset button pushed in again. It should grab the file (window pops up on TFTP32/TFTP63 screen). Then wait at least 5 min before touching the router again. It may require a manual reboot, after the 5 minutes. Did I mention wait FIVE WHOLE MINUTES.
You can tell me it does not have TFTP recovery, I know it does, you just have to interrupt the boot process correctly. _________________ Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.
QCA Best WiFi Settings
Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one.
Atheros:
Netgear R7800 x3 - WDS AP / station, gateway, QoS
TP-Link Archer C7 v2 x2 - WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - NU
D-Link 615 C1/E3/I1 x 7 - 1 WDS station
D-Link 825 B1 - NU
D-Link 862L A1 x2 - WDS Station
Netgear WNDR3700v2 - NU
UBNT loco M2 x2 - airOS
Broadcom
Linksys EA6400 - Gateway, QoS
Asus N66U - AP
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - switch
ok thank you.
For tftp, i don't understand what i can do wrong.
- My router is plugged on my ethernet port, no tension.
- In the adaptator properties of ethernet i set 192.168.0.66 and subnet mask 255.255.255.0.
(Not that i am not on a lan otherwise)
- I switch on tftpd64 and i select 192.168.0.66 in the drop down box.
If i do "netstat -a" in a cmd, "shell" i see:
UDP 0.0.0.0:69 *:*
- Then i take a toothpick, i cut the tip, use this to press on the reset button.
- While i continue to press with the toothpick, i plug the modem and a wire in an USB socket.
- I continue to press with the the toothpick may be 30 sec, until the modem has a steady light.
- But... Nothing.
(Yeah, my ip on the lan is 192.168.0.66)
I may do something wrong, but i have no idea of what it could be...
edit: i made a mistake with the firewall, that should be disabled (on windows) or authorized, but it didn't fix the thing. No arp request for 192.168.0.66 (unless i set this address as my ip in the lan) is no arp request...
There are 4 publickeyblobs in the file /usr/bin/httpd.
I was able to decypher the string that is in my firmware file header, thanks to this public key (with one).
Note that my own HEX string is at the offset 0xa0 and not at the offset 0xD0 in the firmware.
Obviously to patch successfully this file, someone would need the private key blob.
Cracking rsa 1024 bits is a bit above my skills (even though, i read that it is possible to crack RSA under the right circumstances.)
This httpd file (by it's name) seems to control only what happens on the http server.
Conclusion 1: it seems useless to patch this chinese 1.1 version through the http server. (you will get error 18005 if md5 is wrong, or error 18008 if rsa is wrong)
- On this tftp technique.
So i was able to get the Rx on a serial console.
When you keep pressing on reset, the device boots... as usual...
When you release your finger, it's reset the device and it reboots... That's all.
In the filesystem, i wasn't able to find anything about this ip 192.168.0.66 (very limited result on the query 192.168.* but all make sense).
This is corroborated to the fact that wireshark is unable to detect any ARP request.
Conclusion 2: this device (chinese 1.1 version) has no tftp server that starts at the startup.
It looks like someone wanted to prevent people to flash this device...
So what about the serial console ?
Well, i was able to get the Rx, but not the Tx, but my skills in soldering are .. bad. Just not good enough for that and i was a bit too violent, and there will be no Tx anymore, because it is likely that i broke the copper layer of this Tx contactor.
Also i lack of experience with serial console and the USB device.
Final conclusion:
So, if you want to flash this chinese version:
- or you find a security weakness in the httpd file (one that a team of professional was unable to find)
- or you can try with the serial port yourself (even if it's possible good luck)...
Or you could buy something else... but it's too bad because i really like this little modem. (Or buy the non chinese version)
May be i'll see if i can write directly to the memory using the connector of the chip, but that's just for the challenge.
Posted: Fri Apr 20, 2018 2:02 Post subject: Chinese Version
You never mentioned it was a Chinese version. Most TP-Links that are sold in China have limited flash and RAM and therefore are not able to run DD-WRT.
Thanks for the list.
However if a brand provides a firmware with a kernel and a rootfs that make a total of more than 3.9mo, it is probably a device with 4mo of memory.
See my teardown above, that seems to confirm it.
Anyway i found some tutorial that explain how to change the memory chips.
But i ll probably try to flash directly the memory... if i figure out how to do...
No guarantees as I am a noob. But I think that I came across a solution for you in the process of bricking and unbricking WR802Nv1.
1. Follow youtube video: https://www.youtube.com/watch?v=0k1sxwX5pMk
2. Download Firmware version: http://www.tp-link.us/res/down/soft/TL-WR802N_V1_150717.zip (Other firmware versions have the upgrade error that you mentioned)
3. As in video use IP 192.168.0.66 to TFTP.
4. Rename the firmware to "wr802nv1_tp_recovery.bin"
5. Plug the router into the ethernet and push in reset button for 3-4 seconds. (Make sure firewalls and antivirus turned off)
This is my one and only idea. I hope it helps. If not, I am out of ideas.
Best of luck
I can concur that this method works.
I had this HW laying around for a while but needed a repeater for my room. Was configuring it late at night and while at it thought that good idea to upgrade the firmware. Rushed through and didnt noticed that there's different FW for regions. The repeater function didnt work and one key difference is the region is blocked to US only (I'm in Asia BTW).
Followed the above method, within 10 minutes its done. Ive flashed the official FW for Asia region.
The setup of the tfp, NIC, etc only took like 5+ minutes. Flashing is only like a minute and the HW up and running another 2-3 minutes. 10 minutes all done.
Message from tfp server as below:
"Connection received from 192.168.0.86 on port 1213 [04/01 00:17:01.640]
Read request for file <wr802nv1_tp_recovery.bin>. Mode octet [04/01 00:17:01.656]
OACK: <timeout=2,> [04/01 00:17:01.656]
Using local port 1230 [04/01 00:17:01.656]
<wr802nv1_tp_recovery.bin>: sent 7938 blks, 4063744 bytes in 2 s. 0 blk resent [04/01 00:17:03.875]
"
I can confirm the difficulties in flashing either DD-WRT or OpenWRT on Tp-link TL-WR802N v1 China version.
As reported by @Miuw , TFTP doesn't seem to work on these devices. The web interface also prevents upgrading due to key hash mismatch as already reported.
I have tried multiple times flashing through TFTP, using both atftpd and TFTP32 set to 192.168.0.66, but to no avail: the device doesn't seem to interact with the tftp server.
I've also sniffed packets on the ethernet interface with wireshark, and as reported by @Miuw there are no ARP packets originating from the device after a reset and power on.
Given the value of this device I'm not trying further. For anybody needing a portable router, my recommendation is to go with GL.iNet devices, which natively support (and actually run) OpenWRT. TP-LINK devices seem defective by design.
