Will TP-Link TL-WR941ND be supported?

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3, ... 24, 25, 26  Next
Author Message
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Sat Nov 22, 2008 14:59    Post subject: Reply with quote
The official firmware is exactly concatenated kernel image (0x0010000, 1024KB) and rootfs (0x002c0000, 2816KB) with padding.

Extracting rootfs is as easy as

Quote:

$ dd if=wr941n_cn_3_3_10_up\(080630\).bin of=squashfs.bin bs=1K skip=1024


And I am sure the flash size is 4MB. The 8MB message printed by u-boot should be hardcoded.

Quote:

ar7100> flinfo

Bank # 1: The hell do you want flinfo for??
Sponsor
Menkatek
DD-WRT Novice


Joined: 11 Nov 2008
Posts: 44

PostPosted: Mon Nov 24, 2008 16:23    Post subject: Reply with quote
Nice work, lark! I don't really understand it except 4MB flash memory should still be enough, right? I hope Sash will reply to this thread. But he seems to be ignoring it... Confused
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Mon Nov 24, 2008 18:15    Post subject: Reply with quote
since im not familiar with uboot this port should be transfered to BS Wink
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Tue Nov 25, 2008 1:24    Post subject: Reply with quote
Menkatek wrote:
Nice work, lark! I don't really understand it except 4MB flash memory should still be enough, right? I hope Sash will reply to this thread. But he seems to be ignoring it... Confused



This is tail of "hexdump -C squashfs.bin"

Code:

002608d0  83 d4 bb 95 3a 37 f3 ae  64 fb ac fb 5f cc 26 e2  |....:7..d..._.&.|
002608e0  d9 3f 67 92 83 ca 00 00  00 00 00 26 06 72 00 00  |.?g........&.r..|
002608f0  00 00 00 00 01 f4 00 00  00 00 00 00 00 00 00 00  |................|
00260900  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00261000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
002c0000


So there still is 2c0000 - 261000 = 380KB room. Using 30% compression ratio, about 1.23MB room left for firmware. So I think 4MB is enough for simple router.

It's bad that wr941n uses SOP-16 flash chip, but cheap flash programmer usually only supports SOP-8.

I will replace it with 8MB or even 16MB flash, but not now.
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Tue Nov 25, 2008 2:12    Post subject: Reply with quote
I sent email to Luis Rodriguez of Atheros (who is active in kernel contribution for Atheros chips) with these questions
Quote:

1. If I want to get source code for bootloader and firmware packing tools, who I should query, Atheros or device vendors?
2. Will atheros provide source code for bootloader and firmware packing tools (for device vendors) directly and publicly?


He replied
Quote:

Openwrt already takes care of this.


I will poke around and report back Smile
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Fri Nov 28, 2008 7:52    Post subject: Reply with quote
wr941n's uboot seems to be modified, so when given a kernel image, it will skip a header. I haven't found out the header size yet, possible 0x200.

The header contains 2 checksum, which I think is md5sum, for example (start from 0x4d)
Quote:

00000000 01 00 00 00 54 50 2d 4c 49 4e 4b 20 54 65 63 68 |....TP-LINK Tech|
00000010 6e 6f 6c 6f 67 69 65 73 00 00 00 00 76 65 72 2e |nologies....ver.|
00000020 20 31 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 | 1.0............|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 09 41 00 02 00 00 00 02 00 00 00 00 95 60 d2 bc |.A...........`..|
00000050 64 26 e1 23 50 0c 29 4e 75 31 5b 0c 00 00 00 00 |d&.#P.)Nu1[.....|
00000060 1d 7b 61 37 81 86 71 d7 af 86 a5 8f cd af 77 78 |.{a7..q.......wx|
00000070 00 00 00 00 80 06 00 00 80 27 50 00 00 3c 00 00 |.........'P..<..|
00000080 00 00 02 00 00 0f d0 22 00 10 00 00 00 2c 00 00 |.......".....,..|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 1f 8b 08 08 ce 30 68 48 00 03 76 6d 6c 69 6e 75 |.....0hH..vmlinu|


I am not sure if uboot will check the checksum.

Checksum is not direct md5sum, it has a seed. The main program (/usr/bin/httpd) will verify checksum. Fortunately, they put a httpd with symbols :)

Always verify checksum (return 1)
Quote:

0048ed50 <isSysUpgradeNeedChecksum>:
48ed50: 03e00008 jr ra
48ed54: 24020001 li v0,1


This should be md5 checksum seeding, but I am not familiar with mips instruction, anyone else can figure it out?
Quote:

100022a0 <md5Key_bootloader>:
100022a0: 8cef335b lw t7,13147(a3)
100022a4: d5c5cefa ldc1 $f5,-12550(t6)
100022a8: a79c28da sh gp,10458(gp)
100022ac: b2e90f42 0xb2e90f42


There is check_header function
Quote:

00421520 <check_header>:
....

But I guess it doesn't get called.

I also dumped mtd block3 and block4, and did some analysis. Some interesting thing here
Quote:

# file config.bin art.bin
config.bin: BIOS (ia32) ROM Ext. (3*512)
art.bin: DOS executable (device driver) for DOS

But generally, the content's format is not obvious.

My easy plan is keeping the whole kernel thing and replaceing userspace programs with dd-wrt's.

First step is busybox. wr941n uses mips big endian. Although openwrt has mips BE tool chain, I decided to compile my own tool chain in my debian environment.

The wr941n uses 0.9.28.2 or older version of uClibc 0.9.28. 0.9.28.2's layout will conflict with other dpkg-cross-ified toolchains, so I modified 0.9.28.3 debian source package to compile out packages which use 0.9.28.2 -soname scheme. Then I built gcc-mips-linux-uclibc packages.

wr941n also uses an old busybox (1.01), behaviour is different from busybox 1.12.2 I used. For example, wr941n's udhcpc will go background immediately, but 1.12.2 is not (it supports -b but wr941n's main program doesn't call udhcpc that way), and then wr941n's main program hangs there. I modified udhcpc to always -b.

Finally, I replace busybox. The new rootfs runs fine and give me telnet access. Now serial port overrun is not a big problem.

This is how I flash it
Quote:

flash my testing rootfs
erase bf120000 +2c0000; tftp 81000000 newfs.bin; cp.b 81000000 bf120000 2c0000

flash factory rootfs
erase bf120000 +2c0000; tftp 81000000 squashfs.bin; cp.b 81000000 bf120000 2c0000


I will put scripts and bin's in my own site later.
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Sat Nov 29, 2008 18:06    Post subject: Reply with quote
Ok, I have some more progress here.

With RoundSparrow's information (http://www.dd-wrt.com/phpBB2/viewtopic.php?t=43228), I download SDK from Trendnet. Although the SDK looks buggy and in a mess, I made some tweaks, built kernel modules to test the kernel tree and succeeded :)

Quote:

# insmod scsi_mod.ko
insmod: cannot insert 'scsi_mod.ko': invalid module format
# insmod scsi_mod.ko
insmod: cannot insert 'scsi_mod.ko': unknown symbol in module
# insmod scsi_mod.ko
# dmesg|tail
br0: port 1(ath0) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0) entering forwarding state
br0: topology change detected, propagating
br0: port 1(ath0) entering forwarding state
scsi_mod: version magic '2.6.15- MIPS32_R2 32BIT gcc-3.4' should be '2.6.15--LSDK-6.1.1.40 MIPS32_R2 32BIT gcc-3.4'
scsi_mod: version magic '2.6.15- MIPS32_R2 32BIT gcc-3.4' should be '2.6.15--LSDK-6.1.1.40 MIPS32_R2 32BIT gcc-3.4'
scsi_mod: version magic '2.6.15- MIPS32_R2 32BIT gcc-3.4' should be '2.6.15--LSDK-6.1.1.40 MIPS32_R2 32BIT gcc-3.4'
scsi_mod: Unknown symbol __might_sleep
SCSI subsystem initialized


So usb
Quote:

# insmod ehci_hcd.ko
# insmod ohci_hcd.ko
# dmesg | more
<snip>
0 Dec 2004 USB 2.0 'Enhanced' Host Controller (EHCI) Driver (AR7100_EHCI)
In ar7100_ehci_drv_probe
probing ehci...
hcd->regs is 0xbb000000
/home/TEW-652BRP/TEW-652BRP_GPL/platform/AR9100/kernels/mips-linux-2.6.15/drivers/usb/host/ehci-ar7100.c: starting AR7100 EHCI USB Controller...done. reset 0x0 usb config 0x2
ehci->caps is 0xbb000000
ehci->caps->hc_base is 0x42fa05
ar7100-ehci ar7100-ehci.0: AR7100 EHCI
ar7100-ehci ar7100-ehci.0: new USB bus registered, assigned bus number 1
ar7100-ehci ar7100-ehci.0: irq 3, io mem 0x1b000000
hcc_params addr 0xbb000008 val 0x10020001 hcs_params addr 0xbb000004 val 0x22
ar7100-ehci ar7100-ehci.0: USB 0.0 started, EHCI 0.42, driver 10 Dec 2004
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
...probing done
2005 April 22 USB 1.1 'Open' Host Controller (OHCI) Driver (ar7100_ohci)block sizes: ed 64 td 64
In ohci_hcd_ar7100_drv_probeprobing...
/home/TEW-652BRP/TEW-652BRP_GPL/platform/AR9100/kernels/mips-linux-2.6.15/drivers/usb/host/ohci-ar7100.c: starting AR7100 OHCI USB Controller...<6>ar7100-ohci ar7100-ohci.0: AR7100 OHCI
ar7100-ohci ar7100-ohci.0: new USB bus registered, assigned bus number 2
ar7100-ohci ar7100-ohci.0: irq 22, io mem 0x1c000000
ar7100-ohci ar7100-ohci.0: init err (00000000 0038)
/home/TEW-652BRP/TEW-652BRP_GPL/platform/AR9100/kernels/mips-linux-2.6.15/drivers/usb/host/ohci-ar7100.c: can't start ar7100_usb
ar7100-ohci ar7100-ohci.0: startup error -79
ar7100-ohci ar7100-ohci.0: USB bus 2 deregistered
/home/TEW-652BRP/TEW-652BRP_GPL/platform/AR9100/kernels/mips-linux-2.6.15/drivers/usb/host/ohci-ar7100.c: stopping ar7100 OHCI USB Controller
ar7100-ohci: probe of ar7100-ohci.0 failed with error -79


I am also looking at the USB port's power supply circuit. It is 12v to 5v DC-DC converter, and yes it's not that complex as I thought before.

AR913x support USB On-The-Go, but WR941N seems to use it as pure host, so power supply is simplified.

I think I can figure out the USB PSU soon, then USB port can be used --- that is one of reasons that I bought WR941N.
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Tue Dec 02, 2008 19:04    Post subject: Reply with quote
I contacted TP-Link (China) support to ask for source code. They refused at first but after I wrote another email, they gave me a link
http://www.tplink.com/support/gpl.asp

I downloaded source code for WR941ND (it is hot fresh, timestamp is 2008-11-26). This link is not public yet, with only one google result
http://forums.whirlpool.net.au/forum-replies-archive.cfm/1014261.html
TP-Link was slow but they took right action at last.

The source code they provide is not complete. U-boot is missing, however, kernel code is complete. They use their own GUI implementation and source code is not available.

To make upgradable and reversible replacement firmware, firmware format and config format must be known. I have asked them to provide these information along with u-boot source code. With these information, I will implement nvram interface and firmware packaging scripts.
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Thu Dec 04, 2008 21:24    Post subject: Reply with quote
More progress.

TP-Link's technical staff rejected my request for u-boot source code and firmware format. Then I read disassembled code and write a fixsum tool. Currently, this tool can only be used under big endian system, fixing it is easy but now it is too late and I will go to bed.

I have upgraded via web UI using firmware I repackaged successfully.

So, here is a snapshot what I done
http://download.lark.net.cn/wr941n/hack/

It's time to move on :D

!!! USE AT YOUR OWN RISK !!!

Sash & BrainSlayer, can you spend some time on WR941N now?

Update: fixsum now can run correctly under little endian system (for example, x86) - Fri Dec 5 13:58:12 CST 2008
RoundSparrow
DD-WRT User


Joined: 28 Nov 2008
Posts: 112

PostPosted: Sat Dec 06, 2008 15:29    Post subject: Reply with quote
I see u-boot coming up more and more on the Ahteros systems. Has anyone found a way to access u-boot from etherner (not adding rs232 serial to hardware) like you can with redboot on port 9000?

I have been able to inject my own content into the firmware for the Trednet TEW-652BRP and the D-Link DIR-615 Rev C1 (identical Atheros based routers).

You mentioned replacing BusyBox. do you have the newest one compiled for kernel 2.6.15 on this CPU? can you put that Busybox binary up - might be useful in our quest to get telnet up on these two firmwares.

Our thread: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=236505
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Sat Dec 06, 2008 17:00    Post subject: Reply with quote
RoundSparrow wrote:
I see u-boot coming up more and more on the Ahteros systems. Has anyone found a way to access u-boot from etherner (not adding rs232 serial to hardware) like you can with redboot on port 9000?

I have been able to inject my own content into the firmware for the Trednet TEW-652BRP and the D-Link DIR-615 Rev C1 (identical Atheros based routers).

You mentioned replacing BusyBox. do you have the newest one compiled for kernel 2.6.15 on this CPU? can you put that Busybox binary up - might be useful in our quest to get telnet up on these two firmwares.

Our thread: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=236505


I put busybox_inst.tar.gz compiled from modified 1.12.2 - almost latest Smile - at

http://download.lark.net.cn/wr941n/hack
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Sat Dec 06, 2008 17:25    Post subject: Reply with quote
i will review the source and look what i can do. about the uboot. no there is no way to access it without serial console

but it could take a while until i'm done with ap81 or ap83. i have the sourcecodes for all the 802.11n drivers, but they arent that good and they dont support our current featureset used in other atheros based units where we are using our own driver

_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
lark
DD-WRT Novice


Joined: 28 Oct 2008
Posts: 33

PostPosted: Sat Dec 06, 2008 18:11    Post subject: Reply with quote
BrainSlayer wrote:
i will review the source and look what i can do. about the uboot. no there is no way to access it without serial console

but it could take a while until i'm done with ap81 or ap83. i have the sourcecodes for all the 802.11n drivers, but they arent that good and they dont support our current featureset used in other atheros based units where we are using our own driver


feature set, for example? My suggestion is using their built kernel first, make it work, then expand. Nvram emulation is the first thing should be done now.

u-boot has no server facility, such as httpd, like redboot, but I think it's not a problem. Using 1 GPIO, u-boot script, and some customized command, you can have 2 predefined functions (for example, press GPIO switch less than 5 seconds or longer), including tftp and boot a failsafe image.
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Sat Dec 06, 2008 18:21    Post subject: Reply with quote
lark wrote:
feature set, for example?

years of modding the orig atheros hal within the license agreement. so to many changes to tell
Quote:

u-boot has no server facility, such as httpd, like redboot, but I think it's not a problem.

its a problem when u think of the other 99% of the users that do not have any skills ins coding and hw modding

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
RoundSparrow
DD-WRT User


Joined: 28 Nov 2008
Posts: 112

PostPosted: Sun Dec 07, 2008 4:07    Post subject: Reply with quote
Does this router have a recovery mode like the d-link and trendnet u-boot Atheros routers?

Hold down reset button, connect power, keep holding reset button (I do it for at least 30 seconds, not sure how long it really needs). Then you can connect on http at 192.168.0.1

Just curious if that's built into the router you have.
Goto page Previous  1, 2, 3, ... 24, 25, 26  Next Display posts from previous:    Page 2 of 26
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum