OpenWrt support for Deco S4

naf · April 5, 2024, 12:21pm

I think the initramfs size has increased over time just enough so that by 23.05.3-rc4 the lzma output is stomping the input as it uncompresses.

for 23.05.3-rc3, the compressed image is written at 81000000-8154CAE3 and then gets uncompressed to 80060000-8151F107. im guessing the larger rc4 loses that race.

these have 128MB RAM, so we should just be able to tftp the initramfs to a higher address like 82000000.

pickljar, you can test this theory by ignoring the exploit and running this at the uboot prompt using a 23.05.3-rc4 or 23.05.x release)

setenv serverip 192.168.0.2
setenv ipaddr 192.168.0.1
tftpboot 0x82000000 initramfs-kernel.bin
bootm 0x82000000

if thats works, Toolybird can either just use the 23.05.3-rc3 version initramfs during the exploit then sysupgrade to whatever version is preferred, or wait on me to put out an updated exploit with the higher address

pickljar · April 6, 2024, 3:04am

Yep, that worked, using the OpenWrt 23.05.3 intramfs-kernel.bin

U-Boot 1.1.4 (Sep 18 2020 - 21:22:11)

ap152 - Dragonfly 1.0DRAM:
sri
ath_ddr_initial_config(278): (ddr2 init)
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 492k for U-Boot at: 87f84000
Reserving 192k for malloc() at: 87f54000
Reserving 44 Bytes for Board Info at: 87f53fd4
Reserving 36 Bytes for Global Data at: 87f53fb0
Reserving 128k for boot params() at: 87f33fb0
Stack Pointer at: 87f33f98
Now running in RAM - U-Boot at: 87f84000
Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment

Power up PLL with outdiv = 0 then switch to 3
In:    serial
Out:   serial
Err:   serial
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
[NM_Error](nm_api_checkDefaultMac) 00483: mac[6C-5A-B0-XX-XX-XX]

factory boot check kernel ok.
Autobooting in 1 seconds
Net:   No valid address in Flash. Using fixed address
athr_mgmt_init ::done
Dragonfly  ----> S17 PHY *
athrs17_reg_init: complete
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:XX:XX:XX
eth0 up
eth0
Setting 0x181162c0 to 0x4b962100
ath> setenv serverip 192.168.0.2
ath> setenv ipaddr 192.168.0.1
ath> tftpboot 0x82000000 initramfs-kernel.bin
Trying eth0
Using eth0 device
TFTP from server 192.168.0.2; our IP address is 192.168.0.1
Filename 'initramfs-kernel.bin'.
Load address: 0x82000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ###########################################################
done
Bytes transferred = 5624360 (55d228 hex)
ath> bootm 0x82000000
## Booting image at 82000000 ...
   Image Name:   MIPS OpenWrt Linux-5.15.150
   Created:      2024-03-22  22:09:42 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    5624296 Bytes =  5.4 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x82000040 ...OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

[    0.000000] Linux version 5.15.150 (builder@buildhost) (mips-openwrt-linux-mu                                      sl-gcc (OpenWrt GCC 12.3.0 r23809-234f1a2efa) 12.3.0, GNU ld (GNU Binutils) 2.40                                      .0) #0 Fri Mar 22 22:09:42 2024

naf · April 6, 2024, 3:42am

new exploit release, to support larger initramfs found in 23.05.x releases:

https://github.com/naf419/tplink_deco_exploits/releases/download/v2/deco_all_webfailsafe_faux_fw_tftp_v2.bin

pickljar · April 6, 2024, 4:09am

Appreciate the contributions naf. I've just tested it it and can confirm it's working as intended.

Toolybird If you're still wanting to install openwrt, try naf's new exploit version with the latest openwrt release 23.05.3 intramfs-kernel.bin

Toolybird · April 10, 2024, 7:14am

Yes! You folks are legends!! I now have the initramfs booting successfully with the v2 exploit. I'm one of those types who has lost their soldering iron.. so this is amazing

Gotta say, special props to @naf for that code. To the casual observer that seems like some kind of feat. Thanks again!

DiGiSoUL84 · April 11, 2024, 3:30pm

I'm kinda stuck and not sure where to go from here so any advise would great if possible.

I also have been trying to get a v2 to successful flash. Before today I couldn't get any of the exploits to work but after some progress this morning I can safely say that any of those attempts were going to fail because I discovered that I didn't have my tftp server set up correctly to serve the initramfs.

Now that I know the tftp server is working properly and using the new initramfs + the new exploit I can get a solid green led then flashing green led as soon as I click update on the firmware recovery page. Is there a long waiting period with the flashing green led because once it starts flashing it never goes back to solid green or the white. It doesn't reboot just sits there flashing. If I change IP's over 192.168.1.x I don't get the web gui just the "No Internet Connection" error page.

Am I missing a step? Or performing the steps in a wrong sequence? I've seen where others have been successful so I'm hoping the legends can also assist me.

Much love and respect

mlw19mlw91 · July 17, 2024, 9:17pm

Same issues here! NO exploit is currently working. I have my tftp server setup and listening. I can connect to it with a laptop on the very same ethernet port that I have the router hooked up to. Also, the router itself never sends a single request to the tftp server. not a single one. This is with plugging it in while holding reset (or not holding reset, makes no difference)

Unfortunately I cannot attach wireshark capture, but you wouldn't see much anyways. You can see the traffic when I go to login to the interface, but there is no request from the router to my pc.

I have heard it may be beneficial to leave a switch hooked up to the ethernet port to keep the card on for some reason. Is that actually the case?

I can do a zenmap of the router and there is not a single open port when waiting for recovery.

Just to confirm I am using TP recovery steps from their website:
Using the Firmware Recovery Tool - Home Network Community (tp-link.com)
Also tried with alternative settings here:
Restoring a bricked TP-Link router with TFTP - Milan Kragujević (milankragujevic.com)

mlw19mlw91 · July 17, 2024, 9:22pm

Also are we sure we're using the right method?

TP link themselves do not say that the TFTP tool is valid for this router

mlw19mlw91 · July 17, 2024, 10:05pm

Guys sorry I should elaborate, I'm an IT student so I know my way around this stuff a tiny bit! (not graduated yet)

I can never capture any single packet from the router except in response to me visiting the URL 192.168.0.1. Other than that there is no single packet sent with the router as the IP that I have seen. There is no request to 192.168.0.2 for any files, nothing shows up in tftp server log, etc.

EDIT:
A few more attempts and I've now got a bricked deco s4. Cannot recover with tp link suggested method. Cannot recover with any of my methods either.

The guide states to use a method that tp link says is not available for these routers is one confusing thing. Further, I tried to upload the bypass through uboot and I think that might've caused the issue, no idea.

bobthebuilder · July 17, 2024, 10:47pm

You're severely misunderstanding what is going on here.

Many TP-Link routers will try during bootup to contact a TFTP Server for new firmware. The S4 doesn't do that.

The S4 has the HTTP recovery with that nice webpage where you can select a firmware file and upload it.

Instead of a firmware file you upload the exploit.

And while the bootloader is checking the file. the exploit breaks out of that and executes bootloader commands.

And those commands are then using the tftp client of the bootloader to get the firmware from your tftp server and execute that.

At no point do you need a firmware recorvery tool from tp-link nor is any tftp guide for other routers going to work.

The steps at https://openwrt.org/toh/tp-link/deco_s4 are correct. If they don't work on your router then you've likely got one where TP-Link updated the bootloader to prevent the exploit from working....or you did it wrong.

Maybe these instructions are clearer to you. But keep in mind that they're for the M4, not S4, and you need to of course use the firmware files for the S4. But other than that it should work the same:

bobthebuilder · July 17, 2024, 10:58pm

Does that mean you had access to uboot via a serial console?

I can only guess that you then took the exploit file and uploaded that? Why?

If you had access to uboot via the serial console then you could have just used the same commands the exploit is using. The following lines are literally inside the exploit file as readable text:

setenv serverip 192.168.0.2
setenv ipaddr 192.168.0.1
tftpboot 0x82000000 initramfs-kernel.bin
bootm 0x82000000

But if you uploaded whatever to the wrong address then you might also have overwritten the bootloader. If that's the case then only a flash chip programmer can revive that device.

mlw19mlw91 · July 18, 2024, 2:42am

My S4 experienced RUD and is now in the bin.

I believe I understood the instructions correctly the first time, the exploit uploaded fine, but then nothing else. Let's just say there was great confusion on versions, and at the end of the day, the exploit can't fix the new mistake