Archer D50 without uart and opening

iamjfk11 · August 13, 2020, 11:11am

Hi, i'm on localized Ita version of tp-link archer d50 ver 1,1 fw 0.8.0 1.3 v0046.0 Build 170223 Rel.61663n
i've extracted firmware with binwalk
i'm trying to flash openwrt from factory without UART
i'm trying/checking this method "https://github.com/svanheule/tplink-fw-3rd" but is for more recent model
i don't know if this theory are the same on this model : "All known tp-link firmware versions (latest is 2.4.0), can disable firmware verification and use a padded firmware file to flash OpenWrt)

ssh into target device and run cliclientd stopcs (creates directory /tmp/stopcs)
upload padded factory image via web interface

i dont'have ssh access only telnet tp-link cli

thx in advance

lleachii · August 18, 2020, 12:25pm

A D50, or C50 (I note there are Snapshots for D50)?
Where are you getting this image from?
- Please confirm the official link
- Why do you extract it?
Have you seen the instructions here?
Have you tried asking @svanheule (apparent writer of the non-UART page you linked) or @chunkeey (the committer noting the installation instructions known to work for OpenWrt)?

If non-UART instructions are not listed, the install method you're asking about is unsupported.

svanheule · August 18, 2020, 1:17pm

The page linked is specifically for the EAP245v3. My findings may apply to other devices, but most likely don't.

The 3rd image format appears to be a left-over to me, because the image parsing was very buggy and it isn't supported by any other devices.
The stopcs-method applies to more devices, but to my knowledge only EAP devices with recent firmware updates (EAP225v3, EAP225-Outdoor, EAP225-Wall, EAP245v3).

iamjfk11 · August 19, 2020, 6:23am

binwalk --signature --term Archer_D50v1_0.8.0_1.3_up_boot.bin

104720        0x19910         U-Boot version string, "U-Boot 1.1.4 (Feb 23 2017 - 10:01:09)"
104864        0x199A0         CRC32 polynomial table, big endian
132096        0x20400         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3763644 bytes
1442304       0x160200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6026988 bytes, 508 inodes, blocksize: 262144 bytes, created: 2017-02-23
                              09:07:51
8126976       0x7C0200        TP-Link firmware header, firmware version: 0.-10416.0, image version: "", product ID: 0x0, product version: -1054867455, kernel load address: 0x0,
                              kernel entry point: 0x80010000, kernel offset: 1995074, kernel length: 0, rootfs offset: 766861, rootfs length: 0, bootloader offset: 1335296,
                              bootloader length: 0
8127488       0x7C0400        Broadcom 96345 firmware header, header size: 256, firmware version: "8", board id: "6318REF", ~CRC32 header checksum: 0x9CA3CD8A, ~CRC32 data
                              checksum: 0xD62816E5
8137348       0x7C2A84        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 214912 bytes
8182784       0x7CDC00        Squashfs filesystem, little endian, non-standard signature, version 4.0, compression:gzip, size: 1169970 bytes, 337 inodes, blocksize: 65536 bytes,
                              created: 2017-01-03 01:38:53
9354252       0x8EBC0C        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 2305276 bytes

that's fw of D50
/lib/libnvrammanager.so not found

Binwalk is also able to perform entropy analysis, printing raw entropy data and generating entropy graphs. The entropy will be high when the bytes in the image look random, and that could mean the image has an encrypted, compressed or obfuscated file, or even hardcoded crypto key!

Custom signatures can be added to binwalk either through a custom signature file specified on the command line via the --magic option or by adding them to your $HOME/.config/binwalk/magic directory.

with this method it is not possible to find the private key to create valid fw file?

i am trying to extract u-boot and kernel following this guide "https://embeddedbits.org/reverse-engineering-router-firmware-with-binwalk/", it is slightly different fs layout of my D50, i am trying to figure out right size u-boot to extract, the more I doubt the location, 0x20400 or 0x7C2A84?
"dd if = Archer_D50v1_0.8.0_1.3_up_boot.bin of = u-boot.bin.lzma bs = 1 skip = 132096 count = ?????"

so far with my attempts, lzma u-boot is always bad end or corrupt