TP-Link TL-WR941ND ver.3 (b,g,n;MIMOx3, 4MB flash, 32MB RAM)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Wed Sep 16, 2009 12:31    Post subject: TP-Link TL-WR941ND ver.3 (b,g,n;MIMOx3, 4MB flash, 32MB RAM) Reply with quote
An upgraded version of this router was released known as version 3.

I've made several pictures, I attached those.

I tried to open the RF shield to take picture from the radio, but it is soldered on.

I followed the previous threads about the early versions of this router:

http://dd-wrt.com/phpBB2/viewtopic.php?t=43228&highlight=wr941n

http://dd-wrt.com/phpBB2/viewtopic.php?t=40041&highlight=wr941n

Here is the downloadable GPL code base of TP-Link:

http://www.tp-link.com/support/gpl.asp

Can anybody help me, to find out: can I upgrade to DD WRT via TP-link webgui? Or what should I do if I want to install DD WRT to this router?

I cannot see any serial or JTAG port on the board.

Thank you!

Dchard


Last edited by dchard on Sun Oct 11, 2009 7:53; edited 2 times in total
Sponsor
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Sun Sep 20, 2009 14:34    Post subject: Reply with quote
Nobody can help me with this, or suggest anything?

Dchard
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17638
Location: Hesse/Germany

PostPosted: Sun Sep 20, 2009 16:08    Post subject: Reply with quote
do
http://www.dd-wrt.com/wiki/index.php/Broadcom_detection

and read:

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Thu Oct 08, 2009 18:49    Post subject: Re: Reply with quote
Sash wrote:
do
http://www.dd-wrt.com/wiki/index.php/Broadcom_detection

and read:


Hi Sash,

I read what you suggested, but I can't get closer to the solution:

1. Checked this device, but it seems currently not on the supported list yet.

2. The hardware architecture is very similar to some other router, and there is no any hardware limitation which can exclude this device: the RAM and flash are enough large to run the DD-WRT mini version, Atheros based radio and CPU. There is also a complete GPL code (with bootloader) on the manufacturer's page.

3. I do some high res pictures from the board itself. It seems there is no JTAG interface on it (just a 4 pin connector near the CPU, i don't really know what it is). Maybe on the back of the panel?? MOD: I checked and there is no pinout for any connector on the back panel.

Do you see any interface on the board? Maybe you see somtehing I don't.

The FCC ID is:

TE7WR941NXV3

What to do next?

Thanks!

Dchard
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Sat Oct 10, 2009 8:51    Post subject: Follow up Reply with quote
This post is just for myself as a memo:

1. Find out what is that 4 pin header on the board?

2. Probably similar devices: TL-WR841N, TL-WR1043ND

3. Radio: What is the exact radion on this router?

4. Topics to follow:

Will TP-Link TL-WR941ND be supported?

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=40041&highlight=tlwr941n

TP-Link WR941ND v2

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=32715&highlight=tlwr941nd

Atheros AP81/AP83 platform, u-boot, list of known routers

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=43713&highlight=tlwr941nd

Trendnet TEW-652BRP, Atheros AR9130, DLink DIR-615 C1

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=236505

Dchard
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Sat Oct 10, 2009 10:49    Post subject: Serial interface found Reply with quote
OK, after I read all the threads, FAQ and Wiki, I found the serial interface on the router. I measured 3.3V between the PINs so I need an RS232 level shifter TTL logic to make it work.

I measured the PINS resistance on the board (PIN1 in the square on the pic.):

+-+-+-+-+
|1 |2 |3| 4|
+-+-+-+-+

PIN1: connected to nowhere (cannot measure any resistance to the RF shield)
PIN2: ~4,4 kOhm to RF shield
PIN3: Ground (short circuit to the RF shiled)
PIN4: should be Vcc (3.3V) (~240 Ohm resistance to the RF shield)

Can anybody help me how to find the exact pinout? I think my method is not the best. Is this a serial interface at all?

MOD: updated high res pictures are available now.

Dchard
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Sat Oct 17, 2009 20:27    Post subject: TP-Link TL-WR941ND ver.3 serial port Reply with quote
The serial interface on this ver.3 board is identified (see the picture below for registered users).

Dchard


Last edited by dchard on Fri Oct 23, 2009 15:52; edited 2 times in total
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Sun Oct 18, 2009 21:54    Post subject: Howto find serial pins without causing damage Reply with quote
I found a safe method to identify the serial pins.

1. Search the ground with a multimeter between the PINs and the RF shield. When I got short circuit(beep), this is the ground.

2. Now pick a 3.3V LED, solder some stiff gauge to both + and -.

3. Connect the negative (-) end of the LED to the ground pin, the positive (+) end to the pin you want to identify.

4. If the LED lights up constantly, then re-powercycle the device and look at the LED:

- if it keeps lighting constantly during the router boots (no blinking) then you found the Vcc.

- if it keeps lighting constantly during the router boots and do have some blinking, then you found the TX.

- if it doesn't start to light at all (or very little light), you found the RX.

In my case, the router's TX pin is not completely worked out: some resistor is missing at the end of the chain. I connected the first pad of the missing resistor to the LED's positive gauge, and the light showed up, and during the boot it blinked several times. This method is also safe for identifying and bridging this problem. You cannot damage your router if you watch to not cause short circuit with the measuring wires itself. If you solder a needle to the positive end of the LED, you can most likely avoid this situation, because you can only touch one given point on the board at the time.

Dchard


Last edited by dchard on Sat Oct 24, 2009 8:40; edited 1 time in total
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Fri Oct 23, 2009 15:26    Post subject: Serial connection done Reply with quote
I finally got in to the device via serial.

The port configuration is:

Baud: 115200
Data bits: 8
Stop bits: 1
Parity: none
Flow control: none

User accounts:

User name: "root"
Password: "5up"

User name: "Admin"
Password: "5up"

User name: "ap71"
Password: not needed

Here is the boot process:

Quote:
U-Boot 1.1.4 (Jun 18 2009 - 15:08:27)

AP81 (ar7100) U-boot
DRAM:
sri
32 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash: 8 MB
Using default environment

In: serial
Out: serial
Err: serial
Net: ag7100_enet_initialize...
No valid address in Flash. Using fixed address
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
Autobooting in 1 seconds## Booting image at bf020000 ...
Uncompressing Kernel Image ... OK

Starting kernel ...

Linux version 2.6.15--LSDK-6.1.1.40 gcc version 3.4.4 #82 Fri Jul 10 16:26:06 CST 2009

flash_size passed from bootloader = 8

CPU revision is: 00019374

Determined physical RAM map:

memory: 02000000 @ 00000000 (usable)

Built 1 zonelists

Kernel command line: console=ttyS0,115200 root=31:2 rootfstype=squashfs init=/sbin/init

Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.

Primary data cache 32kB, 4-way, linesize 32 bytes.

Synthesized TLB refill handler (20 instructions).

Synthesized TLB load handler fastpath (32 instructions).

Synthesized TLB store handler fastpath (32 instructions).

Synthesized TLB modify handler fastpath (31 instructions).

Cache parity protection disabled

PID hash table entries: 256 (order: 8, 4096 bytes)

Using 200.000 MHz high precision timer.

Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)

Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)

Memory: 30144k/32768k available (1406k kernel code, 2608k reserved, 301k data, 108k init, 0k highmem)

Mount-cache hash table entries: 512

Checking for 'wait' instruction... available.

NET: Registered protocol family 16

Jumpstart button pressed.

SCSI subsystem initialized

AR7100 GPIOC major 0

squashfs: version 3.3 (2007/10/31) Phillip Lougher

Initializing Cryptographic API

io scheduler noop registered

io scheduler deadline registered

Serial: 8250/16550 driver $Revision: #1 $ 1 ports, IRQ sharing disabled

serial8250.0: ttyS0 at MMIO 0x0 (irq = 19) is a 16550A

RAMDISK driver initialized: 1 RAM disks of 8192K size 1024 blocksize

PPP generic driver version 2.4.2

NET: Registered protocol family 24

cmdlinepart partition parsing not available

Searching for RedBoot partition table

5 RedBoot partitions found on MTD device ar7100-nor0

Creating 5 MTD partitions on "ar7100-nor0":

0x00000000-0x00020000 : "boot"

0x00020000-0x00120000 : "kernel"

0x00120000-0x003e0000 : "rootfs"

0x003e0000-0x003f0000 : "config"

0x003f0000-0x00400000 : "art"

->Oops: flash id 0x898912 .

->Oops: an Intel Flash.

->Oops: old stat 0x0 .

NET: Registered protocol family 2

IP route cache hash table entries: 512 (order: -1, 2048 bytes)

TCP established hash table entries: 2048 (order: 1, 8192 bytes)

TCP bind hash table entries: 2048 (order: 1, 8192 bytes)

TCP: Hash tables configured (established 2048 bind 2048)

TCP reno registered

TCP bic registered

NET: Registered protocol family 1

NET: Registered protocol family 17

802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>

All bugs added by David S. Miller <davem@redhat.com>

ar7100wdt_init: Registering WDT success

VFS: Mounted root (squashfs filesystem) readonly.

Freeing unused kernel memory: 108k freed


init started: BusyBox v1.01 (2009.06.10-11:32+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5

ip_conntrack version 2.4 (256 buckets, 5120 max) - 240 bytes per conntrack

insmod: cannot open module `/lib/modules/2.6.15/kernel/flashid.ko': No such file or directory
Now flash open!

Now flash open!


(none) mips #82 Fri Jul 10 16:26:06 CST 2009 (none)

(none) login: device eth0 entered promiscuous mode

br0: port 1(eth0) entering learning state

br0: topology change detected, propagating

br0: port 1(eth0) entering forwarding state

ath_hal: module license 'Proprietary' taints kernel.

ath_hal: 0.9.17.1 (AR5416, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D)

wlan: 0.8.4.2 (Atheros/multi-bss)

ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved

ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved

ath_ahb: 0.9.4.5 (Atheros/multi-bss)

COEXIST is defined.

Howl Revision ID 0xb5 <6>No MBSSID aggregation support<6>wifi0: Atheros AR9100 WiSoC: mem=0xb80c0000, irq=2

wlan: mac acl policy registered

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

Country ie is US

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

ath_netdev_stop: The stopping of the running

ieee80211_ioctl_setmode: CHH Mode: 11NGHT40PLUS

ieee80211_ioctl_setparam: CHH Calling ieee80211_open

ieee80211_ioctl_setparam: CHH Calling ieee80211_open

ath_set_config: Setting ATH parameter

ath_set_config: Setting ATH parameter

ath_set_config: Setting ATH parameter

ieee80211_ioctl_setparam: CHH Calling ieee80211_open

ath_set_config: Setting ATH parameter

ath_set_config: Setting ATH parameter

ieee80211_ioctl_setparam: CHH Calling ieee80211_open

Force rf_pwd_icsyndiv to 2 on 2422 (1 0)

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

Country ie is US

ath_set_config: Setting ATH parameter

Force rf_pwd_icsyndiv to 2 on 2422 (1 0)

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

ath_netdev_stop: The stopping of the running

ieee80211_ioctl_setparam: CHH Calling ieee80211_open

ieee80211_ioctl_setparam: CHH Calling ieee80211_open

ieee80211_ioctl_setparam: CHH Calling ieee80211_open

Force rf_pwd_icsyndiv to 2 on 2422 (1 0)

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

Country ie is US

br0: port 1(eth0) entering disabled state

br0: port 1(eth0) entering learning state

br0: topology change detected, propagating

br0: port 1(eth0) entering forwarding state

device ath0 entered promiscuous mode

br0: port 2(ath0) entering learning state

br0: topology change detected, propagating

br0: port 2(ath0) entering forwarding state

ath_netdev_stop: The stopping of the running

br0: port 2(ath0) entering disabled state

Force rf_pwd_icsyndiv to 2 on 2422 (1 0)

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

Country ie is US

br0: port 2(ath0) entering learning state

br0: topology change detected, propagating

br0: port 2(ath0) entering forwarding state

ath_netdev_stop: The stopping of the running

br0: port 2(ath0) entering disabled state

ieee80211_ioctl_setparam: CHH Calling ieee80211_open

Force rf_pwd_icsyndiv to 2 on 2422 (1 0)

--AP ar5416InitUserSettings ahp->ah_miscMode 0xc

ar5416Reset Setting CFG 0x10a

Country ie is US

br0: port 2(ath0) entering learning state

br0: topology change detected, propagating

br0: port 2(ath0) entering forwarding state


TL-WR941N mips #82 Fri Jul 10 16:26:06 CST 2009 (none)

TL-WR941N login:


Dchard


Last edited by dchard on Fri Oct 23, 2009 17:11; edited 1 time in total
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Fri Oct 23, 2009 16:43    Post subject: Get into U-boot Reply with quote
I'am trying to get into U-boot, but it seems things changed since rev.2, because on that board we can access the U-boot by typing "tp" at the begining of the boot process.

But with this rev.3 board I cannot access the U-boot with this method.

MOD:

"root" and "Admin" password cracked with John:

Password: "5up"

Dchard
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Mon Oct 26, 2009 0:09    Post subject: U-boot is accessible via serial on TP-Link TL-WR941ND (ve Reply with quote
To access U-boot there is a 1 second time window to type in "tpl".

U-Boot 1.1.4 (Jun 18 2009 - 15:08:27)

AP81 (ar7100) U-boot
DRAM:
sri
32 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash: 8 MB
Using default environment

In: serial
Out: serial
Err: serial
Net: ag7100_enet_initialize...
No valid address in Flash. Using fixed address
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
Autobooting in 1 seconds <-- You have to type "tpl" when this line apperas. No need to press [ENTER].

I don't know if larc simply miswrite it in his previous findings, anyway he mentions "tp" instead of "tpl".

For anybody else: this can be extracted from any firmware incorporating U-boot loader wit a HEX editor. Check the attached picture.

I also has an idea for accessing U-boot via ethernet, but my router's ethernet ports are gone today. I didn't do anything with it: still the stock firmware on it, the wireless part and the firmware works, so I'dont know what happened...

Dchard
blackshard
DD-WRT Novice


Joined: 18 Feb 2008
Posts: 42
Location: Italy

PostPosted: Sun Nov 01, 2009 15:24    Post subject: Reply with quote
Kinda interesting!
Noone has interest in supporting this guy? He made lot of work!
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Mon Nov 02, 2009 7:47    Post subject: Re: Reply with quote
blackshard: to be honest, I kinda surprised how much unhelpful this community is. I never thought that I got so far without a single comment...

Anyway, my device is in RMA at the moment, but I will continue to work after I got a new one.

Also, I dumped a lot of thing out from the device (all the MTD devices, lots of config file, etc.).

I will zip and upload it.

About the U-boot: there is a hard coded client/server ip address for TFTP firmware retrieval, and the ethernet interfaces are up during U-boot. I think in that 1 second time window we can initiate a TFTP transfer to the device from a client. I will test this.

I tested the device about pushing the reset button during power on, but this has no impact on the boot process: there is no failsafe HTTP partition like Trendnet.

MOD: I uploaded the findings (mtds, a boot process, ps -aux etc.) Check the zip.

Dchard
dchard
DD-WRT Novice


Joined: 29 Jun 2009
Posts: 25

PostPosted: Tue Dec 01, 2009 19:30    Post subject: Re: Reply with quote
I got a new device in RMA. This is a rev. 3.2 board instead of my previos 3.0 board, but exactly the same layout as the 3.0 was.

I solder the TTL pinout as previous, and the board is working fine, the ethernet ports too. I don't know why the ethernet ports gone, but it seems it was not the soldering Very Happy

I have to fulfill some exams, so I will continue this later.

Dchard
Schugy
DD-WRT User


Joined: 28 Sep 2008
Posts: 83
Location: Germany

PostPosted: Tue Dec 01, 2009 22:50    Post subject: Reply with quote
I'm no developer but I think you're doing a great job.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum