1043NDv2.1 Debricking

ParanoidZoid · December 21, 2018, 3:42am

I've got a hold of a bricked 1043NDv2 to try to fix and to add to my network. It was put up on FB Marketplace as junk parts for almost free. I've tried the TFTP "Holding Reset" button on TP-Link Devices, but it does not initialize. It's almost as if the reset button does nothing since there isn't a change of any LEDs. It always lights up as Power, Activity (the one that looks like *), LAN1, and the WPS button. Wireshark does not capture any packets with useful information.

I've soldered a serial header on and have successfully gotten a log to show up on PuTTY. It shows:

U-Boot 1.1.4 (Jun 13 2014 - 15:14:01)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(211): (16bit) ddr1 init
tap = 0x00000002
Tap (low, high) = (0xaa55aa55, 0x0)
Tap values = (0x8, 0x8, 0x8, 0x8)
 4MB

Which I know is already different from the Wiki, given that it should be like this:

U-Boot 1.1.4 (Jul 17 2015 - 14:31:22)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(178): (16bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x0, 0x1e)
Tap values = (0xf, 0xf, 0xf, 0xf)
64 MB

From then on in, it does nothing apart from normal - lighting up the following LEDs again: Power, Activity (the one that looks like *), LAN1, and the WPS button. I cannot do the standard wait and type tpl

I got a chat with the owner of the bricked router and he stated that he played around with generating his own OpenWRT image and it all went to crap when he installed an image he generated that had ASLR on. Could this have done something to Uboot-Env?

My question is this: Am I missing something? Can I do anything else besides JTAG or reprogramming the SPI/Flash Chip? I don't think that it's worth the effort doing either option since I don't have a fine enough solder tip or the steady hands required for finer soldering if that's the case.

kukulo · December 21, 2018, 1:43pm

Looks like Dram configuration is gone. Your is showing only 4MB. The least complicated thing is to me to reprogram the SPI Flash. I would get a hold of a new SPI chip, program it and exchange it (desolder and solder a new one).

ParanoidZoid · December 21, 2018, 2:09pm

If I were to theoretically do that, what would the necessary tools/process be?

I can only really think of:

SPI Programmer (I already have a Raspberry Pi that can be loaded up with FlashROM/Libreboot)
New SPI chip (Winbond W25Q64FVSIG)
Heat Gun (to remove/replace the SPI chip)

I would then also need to somehow read this data off the old SPI chip:

U-Boot (Yes/No?)
Atheros Radio Test (ART)

If I somehow did all of this, I would then need to create/gather an image and then load it up on the new flash chip.

This honestly sounds like an incredibly huge undertaking of both time and effort. How is it possible that a single image managed to do all this damage? From my experience it's REALLY hard to brick a router given that there are so many means of recovery - but to somehow have only the most resource intensive methods of SPI reprogramming or JTAG as the sole options left seems crazy.

kukulo · December 21, 2018, 2:39pm

For desoldering you will need a soldering iron and solder sucker.

A video with desoldering you will find here: https://www.youtube.com/watch?v=l6rw1zo4A2c&app=desktop

I have a TL-wr1043nd v2.1 and can supply you the u-boot and art if you want.

kukulo · December 21, 2018, 2:46pm

Maybe a 16MB flash together with u-boot from https://github.com/pepe2k/u-boot_mod ?

ParanoidZoid · December 21, 2018, 3:41pm

Forgive me since, I've only ever done TFTP and Serial Recovery - but doesn't the ART contain the specific MAC address of the router? If it doesn't, I would really like a copy of the ART partition.

Thanks for the video, I'm not German but it did help. However, I think I'd have to ask a friend who has better/more available tools for the actual transfer of the chip.

So that leaves me with just generating an image with the contents of /proc/mtd. From the video you sent, even though it is another router model, what or do I need to get anything from the old flash chip?

u-boot <-- will need this
kernel <-- comes from OpenWrt or stock image
rootfs <-- comes from OpenWrt or stock image
roofs_data <-- comes from OpenWrt or stock image
art <-- from my old chip or (potentially) from you (thank you!!!)
firmware <-- from my old chip (I don't know if this partition exists in the 1043NDv2.1 though)

kukulo · December 21, 2018, 3:52pm

U-boot is here: http://www.mediafire.com/file/p4809agj26tmtp0/mtd0.zip/file

Try to extract the art from the old chip, if you do not succeed, come back.

mk24 · December 21, 2018, 4:55pm

The firmware partition is a union overlaying kernel+rootfs+rootfs_data. It's not a separate partition. In other words it is an alias for the middle part of the flash that is not bootloader or ART.

I thought the Atheros chips probe the RAM size from ROM, before starting the bootloader.

There is no further output on serial after it says "4MB" ?

ParanoidZoid · December 23, 2018, 4:58am

This will take me some time to do given the season and the lack of tools. But I'll try and do it.

ParanoidZoid · December 23, 2018, 4:59am

Nope, there is no output whatsoever. Serial connection is clean given that the initial output is not garbled. All I know is that the seller had tried to flash a custom generated OpenWrt image with ASLR, resulting in this current brick.

darkspot · September 12, 2022, 3:17pm

HI
I have the same router with the exact same output.
I know it was 4 years ago. But: did you recover it?
Thanks

slh · September 12, 2022, 4:01pm

If push-button tftp recovery isn't successful, I'd personally stop trying any further. If the bootloader is shot, chances are ART is as well (and contrary to u-boot, this wifi calibration data is unique and not recoverable).

A spi-nor writer and soic8 clamp would set you back at least 10 bucks (plus the 5 you already spent on a usb2serial adapter) and soldering equipment (>30), while fully functional tl-wdr3600 (concurrent dual-band, 8/128) go for around 10 bucks on the used markets.

--
No, I wouldn't really buy a tl-wdr3600 today - but they're strictly better than the tl-wr1043ndv2 in every regard, sell very cheaply and are commonly available, for less than the equipment you'd need to recover your device (with an unclear outcome if you can resurrect its wifi).

mk24 · September 12, 2022, 4:29pm

The LEDs should come on then most of them go out a fraction of a second after power up when the bootloader starts running. If they come on and all stay on, it's either a corrupted bootloader or hardware (CPU or RAM) failure. There will also be no output from the serial port in this case.

ParanoidZoid · September 13, 2022, 3:14pm

I was not able to recover it. Replacing the chip was not worth it since I would have had to acquire a soic/spi writer with added shipping fees ( per @slh ) or go to a repair shop. Both were more expensive than what the router/AP combo was worth. Finding the necessary chip to replace it with was also a hassle without resorting to importing from China with extremely long shipping times.

The ART partition was also pretty much toast as I didn't back it up, meaning no WiFi.

I ended up disposing of it at my local e-waste facility.

system · September 23, 2022, 3:15pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.