If you don't mind compiling a small piece of code, you can actually use tplink-safeloader
from the OpenWrt sources to extract the different partitions from US firmware from the TP-Link website. The reason you can convert a US device to a CA device, is precisely because the CA image contains information that gets written into the "info" partition (mtd2).
From tplink-safeloader.c
/** Firmware layout for the EAP225-Outdoor v1 */
[....]
.partitions = {
{"fs-uboot", 0x00000, 0x20000},
{"partition-table", 0x20000, 0x02000},
{"default-mac", 0x30000, 0x01000}, <-- MTD2 STARTS HERE
{"support-list", 0x31000, 0x00100},
{"product-info", 0x31100, 0x00400},
{"soft-version", 0x32000, 0x00100}, <-- LAST PART OF MTD2
{"firmware", 0x40000, 0xd80000},
{"user-config", 0xdc0000, 0x30000},
{"mutil-log", 0xf30000, 0x80000},
{"oops", 0xfb0000, 0x40000},
{"radio", 0xff0000, 0x10000},
{NULL, 0, 0}
},
So, (without experimental verification) you would need to start by extracting mtd2 from the device you want to convert to a US-version. Inside this 64kB blob, you need to replace the bytes starting at offset 0x1100 with a modified product-info blob from a CA image. You should be able to do this with dd
, but you will need to experiment with the offset and truncation options.
- BACK UP ALL PARTITIONS (and hope you don't nuke u-boot if you manage to write data to the wrong place)
- Extract mtd2 partition from your device, since it contains the device's MAC address
- Download CA image and extract partitions with
tplink-safeloader
- Modify "product-info" from the CA image with your favourite hex editor
- Remove (11) bytes containing "region=CA\r\n"
- Update the first four bytes, containing the partition length. E.g. if the unmodified blob has 0x000001FA, then the byte count should be 0x202 (size in header + 8). Since you are removing 11 (0xB) bytes, the new value in this case would be 0x00001ED.
Bonus: If "region=CA\r\n" is at the end of the partition, it should actually be sufficient to update only the embedded partition length.
- Write the modified blob into the extracted mtd2, at offset 0x1100. (Check that this contains similar info as the one you just modified).
- Flash the modified mtd2 (check out kmod-mtd-rw)