[INFO] Debricking TPLink TL-WR1043ND v.1.11 using JTAG


#1

Hi,

I have gone through the process of de-bricking my router. Since I experienced some problems I decided to share the process and create this write-up

Model: TPLINK TL-WR1043ND v.1.11
Symptoms: only power LED is on, no serial console available
Brick cause: SPI flash overwritten with garbage because of wrong file specified during write of "fullflash"

JTAG hardware used: FTDI 232H (aka FT232H)
JTAG software: openocd
300 ohm resistor is required for EJTAG connection

Openwrt device page: https://openwrt.org/toh/tp-link/tl-wr1043nd
Openwrt de-bricking instructions: https://openwrt.org/docs/guide-user/hardware/debrick.ath79.using.jtag

  1. JTAG connection
AD0 - TCK 		
AD1 - TDI 	
AD2 - TDO
AD3 - TMS
AC1 - nSRST
nTRST - 300ohm - VREF

Use 300ohm resistor to short nTRST and VREF pins (pull-up)

  1. Verifying openocd connection
# openocd -f tcl/interface/ftdi/um232h.cfg -f ath79.cfg -c "adapter_khz 6000"
Open On-Chip Debugger 0.10.0+dev-00567-gcea4015 (2018-11-06-12:50)
Licensed under GNU GPL v2
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
jtag_ntrst_assert_width: 200
jtag_ntrst_delay: 1
trst_only separate trst_push_pull
adapter speed: 6000 kHz
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 6000 kHz
Info : JTAG tap: ath79.cpu tap/device found: 0x00000001 (mfg: 0x000 (<invalid>), part: 0x0000, ver: 0x0)
MIPS32 with MIPS16 support implemented
Info : Listening on port 3333 for gdb connections
Info : accepting 'telnet' connection on tcp/4444
    TargetName         Type       Endian TapName            State
--  ------------------ ---------- ------ ------------------ ------------
 0* ath79.cpu          mips_m4k   big    ath79.cpu          halted
Error: Unknown flash device (ID 0x0017301c)

If you see the same output – then everything is set up correctly.
If you see "Error: ath79.cpu: IR capture error; saw 0x1f not 0x01" – then your JTAG wiring is bad.

  1. Adding SPI support

Following Openwrt instruction add support to your SPI. In my case "Unknown flash device (ID 0x0017301c)" means that my SPI is not supported by openocd. I did this modification and recompiled openocd:

diff --git a/src/flash/nor/spi.c b/src/flash/nor/spi.c
index 273e850..73994f7 100644
--- a/src/flash/nor/spi.c
+++ b/src/flash/nor/spi.c
@@ -80,5 +80,6 @@ const struct flash_device flash_devices[] = {
        FLASH_ID("gd gd25q16c",         0xd8, 0xc7, 0x001540c8, 0x100, 0x10000, 0x200000),
        FLASH_ID("gd gd25q32c",         0xd8, 0xc7, 0x001640c8, 0x100, 0x10000, 0x400000),
        FLASH_ID("gd gd25q128c",        0xd8, 0xc7, 0x001840c8, 0x100, 0x10000, 0x1000000),
+      FLASH_ID("EN25Q64-104HIP",      0xd8, 0xc7, 0x0017301c, 0x100, 0x10000, 0x800000),
        FLASH_ID(NULL,                  0,    0,    0,          0,     0,       0)
 };
  1. ath79.conf issue

This is the most tricky part. For some reason latest openocd refuses to write the flash as it was in the instructions:

flash write_image unlock cfe.bin 0xbf000000
auto unlock enabled
Start address out of range: 0 bf000000 800000
error writing to flash at address 0xbf000000 at offset 0x00000000

I had to change flash bank address in the ath79.conf file: 0xbf000000 to 0x00000000. Last line should look like this:

flash bank $_FLASHNAME ath79 0x00000000 0x01000000 0 0 $_TARGETNAME

So now, if you want to read the flash you use:

dump_image cfe.bin 0x9f000000 0x20000

Offset specified was 0x9f000000. If you want to write the flash, you use 0x00000000:

flash write_image unlock cfe.bin 0x00000000

But both command will reference the same block in the SPI – first 128KB of bootloader aka CFE

  1. Find CFE

Now you need to find 128KB CFE file for your model and flash it. The best would be to dump CFE from a similar router. But you can use TPLINK OEM firmware and exctract CFE from it - just be sure to download the correct version. Download it and unzip. The bootloader starts at offset 0x200 so you have to skip the first 512 bytes and copy total 131072 bytes:

# dd if=wr1043nv1_en_3_13_15_up_boot\(140319\).bin skip=1 bs=512 count=256 of=cfe.bin
256+0 records in
256+0 records out
131072 bytes (131 kB, 128 KiB) copied, 0.0406206 s, 3.2 MB/s

Follow Openwrt de-bricking openocd instructions and flash the CFE file you just got

  1. If you got the correct CFE file, your JTAG connection was fine and openocd showed no errors, in about 1 hour (depends on your JTAG hardware speed) writing will complete. Reset the router. You should now see system LED also on. This means the bootloader is available

  2. Follow Openwrt instructions to connect serial console and perform TFTP recovery as usually

HTH


#2

Thank you for the detailed write-up.

Kindly include a link where to buy such a FTDI 232H device?


#3

Unfortunately, as a new user, I was not allowed to put more than 2 links in my post. You can search on ebay or aliexpress for "FT232H" and the top results should be what I used. I got mine for $8. Looks like this:

NEW-FT232H-Multifunction-High-Speed-USB-to-JTAG-UART-FIFO-SPI-I2C-Module


#4

Thank you, i will try this product on DigiKey 768-1103-ND as Aliexpress shipping wlil take too long

Im looking if it would be possible to modify your method to work on the Cisco Meraki MR18


#5

Question is would openocd support 128MB Nand Flash ?


#6

I cannot guarantee that Cisco Meraki MR18 will work out of the box. Even if the chipset is the same, my router uses SPI, not NAND. So it could be that you will have to alter ath79 config file. Maybe someone more experienced with openocd can comment


#7

Understood, thank you for your feedback


#8

Hi

The same procedure is valid for archer c7 ? What about VREF pin, use one on JTAG header or 3.3V ?

Note:Device is not bricked, I am just trying to verify if my JTAG cable will work.


#9

Connect

nTRST - 300ohm - VREF