It has an FCC ID. Means it has internal pictures for everybody to see online:
And that means it's the same as a Deco S7. So no M4R V3 in a different package.
Does your device have three Ethernet ports too?
Next step would be to carefully open the device just like in my instructions for the M4R V2: https://imgur.com/a/gK1CHMb
And then take some good photos of the mainboard so we can find the UART/serial pins/pads/holes..
Edit: Judging from the blurry internal photos on the FCC site the pads are at the top of the board. But that's just a guess. We really need a better photo to confirm that.
I've hit a snag with disassembly. There seem to be three wires attached from the case to a panel on the motherboard that I won't have the dexterity to reattach. I also have no soldering skills.
The three cables go to the three antenna boards. You either need to unlatch them from the mainboard as you can see in the first photo you took. Or you need to look at whether you can take off the top and slide the antenna boards out of their holders.
And I hate to say this but without soldering three pins to RX, TX and GND this won't progress any further.
Just to tell you the whole story:
After that you need to hook up a TTL-2-USB (3.3V) dongle to it to get access to the bootloader.
And then you need to set up the openwrt build environment to be able to tinker around with some config files and compile a test firmware to test on your device.
Or you wait for someone else who owns the device to do it. Which might never happen.
I returned the U3.6 devices, and bought a used S4 from the marketplace instead. This appears to be an M4V4 (U4.6). No luck grabbing a U2.6 so far 
Is there a reason it needs to be an S4 if you want a device that is already supported? The M4 would work the same and V1, V2 and V4 are already supported. The case is just a bit taller.
Or you could go even cheaper but still with the same SoC and radios and buy an Archer C6 V2, which is an M4/S4 V2 just with less flash memory. People are selling those for as little as 15€.
And please don't buy it because it supports mesh. That's solely software from TP-Link you won't have on OpenWrt. OpenWrt has its own solution for that which works on most devices that support OpenWrt. And if you connect all of them via Ethernet cables the mesh is even useless.
Yeah, the primary reason I got the S4 over the M4 was the mesh support. I'm aware it's all software features, but the purchase was a hedge against not being able to run openwrt, and using the stock firmware as a fallback.
And I'm connecting them all via ethernet too.
This alone doesn't make any sense. The S4 IS an M4. Both have the same mesh support.
And I'm connecting them all via ethernet too.
Then you don't need any mesh. Mesh means that the access points connect to each other wirelessly. And that's it.
Creating one big wifi network with client roaming has nothing to do with meshes. That is accomplished by creating the same SSID with the same settings (like the same password and encryption) on each access point and generally setting them all up as dumb APs. (Or leaving one in router mode but with the same SSID, if you don't have a separate router.) I have this setup with 9 different access points and I can make VoIP calls and run around our big property without a dropped connection.
But keep in mind that your mileage will vary in terms of bandwidth. Multiple people have reported that they don't get the same bandwidth on OpenWrt as they got with the stock firmware. I'm totally okay with that because I mainly need things like multiple SSIDs and VLAN support and a high bandwidth isn't that important in our network. But if it is to you then you should definitely look into what device to get based on its OpenWrt support and not based on what the manufacturer says the features are.
I'm hoping someone might be able to do a little handholding. I attempted the installation steps and got to the webgui however, it seems all I got was an error. Happy for any suggestions.
Model/Version/FCC ID?
Model: S4R
Version 2.8
FCC ID: TE7M4RV2
Which exploit firmware did you try? The one linked in the original instructions was for V2 only (not 2.x) , but I later published an updated version that might work for other revs: https://github.com/naf419/tplink_deco_exploits/releases/download/v1/deco_all_webfailsafe_faux_fw_tftp.bin
Excellent! I will give this a try and let you know how it went.
Howdy! I tried the V2_dynamic for V2.8 but was unsuccessful. I also tried downgrading my firmware and then trying the V2_dynamic but still the same issue. Based on the FCC ID, do you think there was a big difference between V2.6 and V2.8?
The problem lies with the bootloader. And that isn't touched at all when upgrading or downgrading.
If none of the exploits work then naf would need a dump of the bootloader on your device. And so far that means you have to open it up, attach a usb2ttl dongle to its UART/serial interface and directly access the running bootloader with which you can them dump the contents of the flash memory to a file and send that to your computer.
I just successfully installed OpenWrt on my S4 V.2 tonight and I got the same error message.
Did you actually change your LAN back to DHCP at this point and check whether you get an IP from the "temporary" openwrt kernel booted? I got confused, because I got the same error message around the 40% mark, but the exploit actually worked and so the S4 no longer responds on 192.168.0.1, but on 192.168.1.1
If you (as I did) loaded up a snapshot initramfs-kernel.bin in your tftp server, the Deco will respond on SSH, not in a web browser. After sys-upgrade, I'm now on the regular 23.05.2 version with luci preinstalled.
Just mentioning this in case you were mislead by the apparent error message.
Thanks for all the efforts on this! However no joy here I'm afraid..
Model: Deco S4R(EU) Ver: 2.0
FCC ID: https://fccid.io/2AXJ4M4V2
"deco_all_webfailsafe_faux_fw_tftp.bin" seems to upload ok.. then I can see "initramfs-kernel.bin" being successfully transferred in the TFTP server log. But after that.. nothing. No response at all on 192.168.1.1 (ping, ssh, http). Device LED goes Yellow solid (starting up) then Blue pulse (ready for setup). Using the "kernel" image from here.
Any hints? Thanks!
The S4R(EU) shares the same stock firmware as the US version, so I assume that the openwrt S4Rv2 kernel image you link to should work for it as well, and seeing the tftp download confirms that the bootloader exploit is working correctly up to that point.
Double check that its not a network problem, i.e. ensure that after the tftp transfer is complete you are switching the pc's network from the static 192.168.0.2 used for tftp to either dhcp or a static address in the 192.168.1.1's subnet
Other than that, theres not much debugging to do that doesn't involve opening up the case and connecting to the serial port headers on the board to see whats going on
Hey Naf,
I'm running into the same issue as Toolybird above on my S4R (EU) v2.0. The exploit you wrote works, it downloads the file via tftp, then restarts. It seems to be a problem during the decompression of the initramfs-kernel image on versions rc4 and newer. rc1-rc3 all uncompress fine and load the image including LUCI into ram, but rc4 as well as the 23.05.0-23.05.3 release versions (plus the current snapshot) all fail to uncompress and then reset the board. I've soldered on an FTDI usb serial module and have been able to capture the following console output.
U-Boot 1.1.4 (Sep 18 2020 - 21:22:11)
ap152 - Dragonfly 1.0DRAM:
sri
ath_ddr_initial_config(278): (ddr2 init)
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 492k for U-Boot at: 87f84000
Reserving 192k for malloc() at: 87f54000
Reserving 44 Bytes for Board Info at: 87f53fd4
Reserving 36 Bytes for Global Data at: 87f53fb0
Reserving 128k for boot params() at: 87f33fb0
Stack Pointer at: 87f33f98
Now running in RAM - U-Boot at: 87f84000
Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment
Power up PLL with outdiv = 0 then switch to 3
In: serial
Out: serial
Err: serial
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
[NM_Error](nm_api_checkDefaultMac) 00483: mac[6C-5A-B0-XX-XX-XX]
Net: No valid address in Flash. Using fixed address
athr_mgmt_init ::done
Dragonfly ----> S17 PHY *
athrs17_reg_init: complete
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:XX:XX:XX
eth0 up
eth0
Setting 0x181162c0 to 0x4b962100
Trying eth0
eth0 link down
FAIL
Trying eth0
eth0 link down
FAIL
Trying eth0
dup 1 speed 1000
HTTP server is starting at IP: 192.168.0.1
HTTP server is ready!
Request for: /
Request for: /favicon.ico
## Error: request file name not suport!
Request for: /favicon.ico
## Error: request file name not suport!
Data will be downloaded at 0x80060000 in RAM
Upgrade type: firmware
Upload file size: 32768 bytes
Loading: #######################
Firmware Recovery file length : 32768
fw_type_name : xxxxJUST DOING SOME SSCANF STACK SMASHING NOTHING TO SEE HERExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxS000S001S002▒
cloud nm_tpFirmwareVerify : 270
[NM_Error](handle_fw_cloud) 00166: Check rsa error.
Trying eth0
Using eth0 device
TFTP from server 192.168.0.2; our IP address is 192.168.0.1
Filename 'initramfs-kernel.bin'.
Load address: 0x81000000
Loading: T T
TFTP error: 'File not found' (1)
Starting again
T
TFTP error: 'File not found' (1)
Starting again
T #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
########################################################
done
Bytes transferred = 5609055 (55965f hex)
## Booting image at 81000000 ...
Image Name: MIPS OpenWrt Linux-5.15.134
Created: 2023-10-09 21:45:35 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 5608991 Bytes = 5.3 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0x81000040 ...OK
Uncompressing Kernel Image ... ERROR: LzmaDecode.c, 543
Decoding error = 1
LZMA ERROR 1 - must RESET board to recover
I'm not sure what else you need from here in terms of debugging, so if you could point me in the right direction I can try a few different other things.
Note, I haven't tried actually installing openwrt as I want to keep the router as-is in case I need to do any debugging to get this fixed up, so I don't know if starting at rc3 and then upgrading the firmware to a release version via LUCI will work or if it'll cause issues. If someone else wants to try, let us know how it goes.
Toolybird, if you haven't already, try using the intramfs-kernal.bin for 23.05.0-rc3 below and see if you have any luck.
https://downloads.openwrt.org/releases/23.05.0-rc3/targets/ath79/generic/openwrt-23.05.0-rc3-ath79-generic-tplink_deco-s4-v2-initramfs-kernel.bin