Installing on TP-W8970: command setenv, tftpboot, sf are not found after telnet'ing

I have a TP-Link W8970B (Ver 1.0) and following the Web Interface Hack I am able to telnet into the device.

As far as I understand I should now start a tftpd server on my Ubuntu machine and on the TP-Link I should issue the following commands: setenv, tftpboot, sf erase and sf write. However, none of these commands is available on the router:

$ telnet 1023
Connected to
Escape character is '^]'.
TD-W8970B login: admin
Password: 1234
~ # setenv
-sh: setenv: not found

~ # [TAB][TAB] => only these commands are available:
arping           chmod            dhcpd            handle_card      ipcrm            ls               ping             rm               switch_utility   vsftpd
ash              cli              diagTool         hostapd          ipcs             lsmod            ping6            rmmod            tc               wlanconfig
atmarp           cos              dnsProxy         hotplug          ipsecVpn         mkdir            poweroff         route            telnetd          wpa_supplicant
atmarpd          cp               dsl_cpe_control  httpd            iptables         modem_scan       ppacmd           setkey           tftp             wpatalk
br2684ctl        cwmp             dyndns           ifconfig         iwconfig         mount            pppd             sh               umount           xtables-multi
br2684ctld       date             ebtables         igmpd            iwlist           netstat          ps               sleep            upnpd            zebra
brctl            df               echo             init             iwpriv           noipdns          racoon           smbcontrol       usb_modeswitch
busybox          dhcp6c           free             insmod           kill             ntfs-3g          radvd            smbd             usbp
cat              dhcp6s           getty            ip               killall          ntpc             reboot           smbpasswd        ushare
chat             dhcpc            halt             ip6tables        login            pidof            ripd             snmpd            vconfig

As you can see there is no sf or tftpboot (but there is tftp only).

Hmm, what now? Searching the forum for the specific TP-W8970B or TP-W8970 it looks like there are many people using it. Anything I am doing wrong?

The commands you quoted sound like uboot bootloader commands while you appear to have telnetted into a booted system.

Thanks, this would explain. Well, sorry if this is a stupid question but I searched the forums and web for how to boot into the uboot bootloader but cannot find anything: So, how can I telnet (or get into) the uboot bootloader? (where I could then issue the necessary commands)

You need to open the case and hook up a serial port to get into the bootloader and use that install method.

After you are able to telnet into the stock firmware, the 9970 page linked below the telnet instructions explains how to use that to install by copying firmware files from a USB flash drive.

Thank you. So dd plus cat (on the router) is the right approach after telnet'ing... This was not clear to me from the docs.

On it says:

Create a 1310720 bytes
dd if=openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade.image of=openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade-1.image bs=1310720 skip=1

Is this number 1310720 still right when using the current LEDE firmware from and not OpenWrt 15.05.1? Or would it be best to first flash to this older OpenWrt and then sysupgrade to the current LEDE? Better asking than bricking :wink: I read on the forum about people who ran into bricked hardware after using this method...

What you are doing is breaking the file into two parts so you can copy it into two mtd partitions defined by the stock firmware. The first 1310720 bytes (20 64k blocks) goes into mtd1 and the rest of the file is in mtd2. First you try to cram the whole file into mtd1, knowing it will crash after 1310720 bytes but that is OK since the first part does copy. Then you have created a "firmware-1" file using dd to chop off the first 1310720 bytes of the image so you can write that to mtd2. What ends up in the flash chip is a contiguous true copy of the image since the two partitions are adjacent in the chip.

LEDE / OpenWrt defines a different partition table so you don't have to do that to upgrade. I think it would be best to use 15.05 first then upgrade.

Hmm, damn it. I just did as explained in the wiki: (at least I think so, if you spot an error let me know):

jens@izmir:/media/jens/blackstick$ dd if=openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade.image of=openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade-1.image bs=1310720 skip=1
2+1 records in
2+1 records out
2883588 bytes (2,9 MB, 2,8 MiB) copied, 0,108301 s, 26,6 MB/s
jens@izmir:/media/jens/blackstick$ ls -lh
total 6,8M
-rw-r--r-- 1 jens jens 2,8M Okt  7 16:10 openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade-1.image
-rw-r--r-- 1 jens jens 4,1M Okt  7 16:10 openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade.image
jens@izmir:/media/jens/blackstick$ ls -l
total 6920
-rw-r--r-- 1 jens jens 2883588 Okt  7 16:10 openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade-1.image
-rw-r--r-- 1 jens jens 4194308 Okt  7 16:10 openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade.image
jens@izmir:/media/jens/blackstick$ cd
jens@izmir:~$ telnet 1023
Connected to
Escape character is '^]'.
TD-W8970B login: admin
~ # ls /var/
lock      run       Wireless  dev       passwd    ipsec
log       tmp       usbdisk   samba     3G        vsftp
~ # ls /var/usbdisk/
~ # ls /var/usbdisk/sda1/
~ # cat /dev/mtd0 > /var/usbdisk/sda1/mtd0
~ # cat /dev/mtd1 > /var/usbdisk/sda1/mtd1
~ # cat /dev/mtd2 > /var/usbdisk/sda1/mtd2
~ # cat /dev/mtd3 > /var/usbdisk/sda1/mtd3
~ # cat /dev/mtd4 > /var/usbdisk/sda1/mtd4
~ # cat /dev/mtd5 > /var/usbdisk/sda1/mtd5
~ # cat /dev/mtd6 > /var/usbdisk/sda1/mtd6
~ # ls -la /var/usbdisk/sda1/mtd1
-rwxrwxrwx    1   1310720 /var/usbdisk/sda1/mtd1
~ # cat /var/usbdisk/sda1/openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade.image > /dev/mtdblock1
cat: write error: No space left on device
~ # cat /var/usbdisk/sda1/openwrt-15.05.1-lantiq-xrx200-TDW8970-sysupgrade-1.image  > /dev/mtdblock2
~ # reboot 
Connection closed by foreign host.

...but although WiFi and network LEDs are lighted I cannot ping the W8970 anymore. I waited for 3 minutes after flashing, also re-plugged several times now. Looks like it's bricked now :-/ No WiFi, nothing... should be the right IP even after flashing I guess. I also made sure my eth is on (like when I flashed via telnet). Damn it.

jens@izmir:~$ ping
PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Host Unreachable
From icmp_seq=2 Destination Host Unreachable
From icmp_seq=3 Destination Host Unreachable

as you asked for some information in the other thread I opened, I would like to give you some short pointers.
When I installed LEDE on the TD-W8970B, I had just the same problems as you had. So I proceeded as the people here already proposed: Use telnet to get on the router and then install LEDE from the USB stick. I also installed OpenWRT first and when that worked, I installed LEDE via the OpenWRT GUI.

I checked the commands you used and in my opinion you did everything right according to the tutorial. I do not not remember doing anything different than in the tutorial, but I am not perfectly sure about this.

From your post, I cannot deduct whether you connect to the flashed router via WIFI or via a cable. I think that WIFI did not work on my router after flashing, although the LED might have been already lighted. So if you do not already connect via cable, please try connecting via cable and use the command line interface or the GUI to configure the WIFI.

Ok, I am curious now and decided to by a usb-serial cable.

Any recommendation for a cable? (should be working under Linux).

Also, in order to connect the usb-to-serial cable to the W8970 is it really necessary to soldier the wires to it? Or is it sufficient to just fix them with a little bit of tape so that the wires are "connected" to (touch) it?

LOL! YMMD! :smiley:

Thanks, pretty helpful comment :frowning: What's so laughable about this? If I connect currents, it's also fine to connect the wires (without soldiering them permanently)...

Do it the only right way - or leave it.

I got it working now. Maybe this is useful for someone else running into the same problem, so I'll leave this here.

I was able to connect with the device using its failsafe mode.

Then all the methods in order to reset to factory defaults (that is, device normally listens on were not working).

So I used sysupgrade as describe here in order flash the latest lede version. This worked and I can now access the device via Luci or ssh like I am used to it from other devices.