Installing existing firmware onto a similar device

Hello.

I own TP-Link TL-WR945N and I dissembled it to find that it's very similar to TL-WR940N. The only difference is that the chassis is different and it seems that TL-WR940N had its PSU built in in early versions. The question is, is it safe to flash mine with TL-WR940N firmware?

TL-WR945N:

TL-WR940N v4

No the differences might be on flash level, and won't be seen.

just a dead end, huh?

Depends on how much time and effort you want to put into it, because it is you that need to do most of the work, to get it supported.

thanks for the reply!

Aside from what has already been said, you also would need to verify that the electrical schematic is identical (at least for all logic and network functions) for it to be possible to "drop in" firmware from another device. If there are differences even on something as simple as a I2C or SPI or GPIO pin, it could mean the difference between the hardware being functional and a brick.

3 Likes

Those circuit boards in the picture aren't even close to similar! One has a soldered screen around the cpu and some of the perimeter components are missing or not even placed at the same place.

The actual wire tracks are not placed at same places either so that would probably mean they are connected to different pins.

But isn’t it possible to run a ram image to see what happens?

i don't know how to pull it off (ram image) and kinda gave up on the idea anyway, maybe will revisit sometime later. it's a crappy router anyway

looking at the TL-945 it looks a lot like the 940

what you could do is wire up the serial port so you can experiment

then from the console save the partitions:
cat /proc/mtd

cat /proc/mtd

cat /dev/mtd0 > mtd0.bin
cat /dev/mtd1 > mtd1.bin
cat /dev/mtd2 > mtd2.bin
cat /dev/mtd3 > mtd3.bin
cat /dev/mtd4 > mtd4.bin
cat /dev/mtd5 > mtd5.bin
.
cat /dev/mtdx > mtdx.bin
.
recover these partitions with scp

then flash the firmare of the tl-940 and see if it works

as the SPI flash is an 8 pin memory it is also possible to read it with a CH341 programmer and the clamp which is fine

if you have some time to waste!!!

was thinking about it, yes. tho i need to get the uart to usb thingy first.

during my "research" i found a bunch of models with same SoC, PCB and NAND (is it really nand and not nor, whatever). It's kinda pointless to just re engineer it all especially this way, plus 940 pcb may just be double sided or i dunno.... most of the traces are still there and it's the connection and continuity between pins that matters, not the placement

if i try to compare the two .bin files - they're nearly identical but one has a slight offset of some sort in places which "differ"

Just by curiosity on the hardware, do you mind me asking what those three grey cables in the pictures that all are cold soldered to the circuit board actually do?

they go inside antennas

1 Like

The 3 cables are the wires for the antennas

2 Likes

Ok wonderful I must say, I don’t think I have ever seen a GHz antenna cable soldered to a circuit board like that and I have seen a lot of radios inside…
And they seem to do it on every device!?
Wonder what the SNR, reflection levels and actual radio output quality is on these devices?
Wonder if they actually was EMC certified like this or they had proper connectors at certificate process and is using a “cheeper solution” at mass production!?
How far away can you go from these devices until you start loosing wifi dots in the client?

the distance is 2.5-3 meters till i lose dots (the connection is really crap)
it doesn't have any emc markings tho

I am not surprised that you loose Tx power really fast with that technical solution.
It has almost guaranteed a EMC certification or it isn’t allowed as transmitter in EU (the device in one of the pictures are a EU device).
But the EMC diploma is often printed in the user manual and not on the actual device.

I have a lot of devices where the wires are soldered. I would even say that it is less practical but better than with a connector (less losses)

well, i'll just try out getting ssh with CVE-2018-10167 and then dump and check the flash layout. if fl stacks - will just try to flash