OpenWrt support for TP-Link Deco M4R

While you can create a mesh network with openwrt, it's not the same as the one that TP-Link uses. So if you flash the V2s then the V3s will become useless since there currently is no openwrt for the V3.

If you really want to go with openwrt then I'd probably try and sell the V3s and buy used V1s, V2s or V4s.

But you might want to test the mesh network with your V2s before you commit to anything. The wifi drivers for the V1 and V2 aren't the greatest (and that won't change) and thus you can't create an access point network and a mesh network on the same radio at the same time without the link quality going down the drain. So you have to commit either the 2,4GHz or the 5GHz radio to the mesh network and only use the other radio for the access points. At least that was the case last time I tried it.

And just to prevent confusion since everybody has a different opinion about what a mesh network is: The mesh network is there for communication between the openwrt devices. Every one of those still needs an access point for end devices like smartphones or laptops. The mesh network basically only replaces a wired backhaul.

Of course if you can connect all of the openwrt devices with Ethernet cables then that works fine and has 2.4GHz and 5GHz access points available. My whole network is set up like that. But in that case you're not using the mesh functionality anymore.

And no, seamless roaming between access points is not equivalent to a mesh.

Hi Bob,

Thank you so much for your advanced reply. It is really helpful. So, I need to flash all the radios I want to use, even the non-primary ones?

Thanks

If you want the actual mesh backhaul to work then either all are using the stock firmware or openwrt.

But you don't need Decos for openwrt's mesh. Any openwrt device will do.

The Archer C6 V2 for example has the same hardware inside as the Deco M4R V2 but has actual antennas and a lot more switch ports exposed. And it's cheaper if you can find one on ebay.

Just to be sure, mesh is the technology in which how routers communicate with each other and roaming is a protocol that allows mobile devices to seamlessly transition between said routers, correct? And also from what I understand, if I was able to do a wired backhaul instead of the wireless mesh I would be able to make a single SSID that works both for 2.4 and 5 GHz, right?

Roaming isn't a protocol. Your smartphone simply chooses the access point with the strongest signal from the ones available with the same SSID.

There are protocols like 802.11r that help with the switch, but at the end of the day it's always up to the wifi client how it switches between access points.

Apart from that you've understood correctly.

Thanks! Will try to use a wired backhaul to make it as similar as possible to the original firmware. I have activated 802.11r before on the factory firmware but it seemed to have caused stability issues, will try it on OpenWRT as well but I am not super optimistic.

I have never worked with pppoe. And this isn't a question specific to Decos. You should ask it in the appropriate sub forum for openwrt settings.

said free time is now available!
i'll post when there are relevant updates

note the:

• 24.10
• not initramfs
• working network interfaces

image1003×1060 58.4 KB

will upload branch soon

openwrt for deco m4r v3 (do ignore the 23.05 branch, changes are in 24.10)
bootloader patch will now be packaged into a clean shell script

@caeklol I wanted to build it myself but the menu kind of scares me
Do you have a config or perhaps have the already build image so I can flash the device and test?

currently the process to install openwrt on the v3 is as follows:

• obtain root shell on the device by uploading a fake firmware image which exploits the stock fw upgrade page at 192.168.68.1. this is naf's exploit
• install bootloader mod to make the system bootable when our version of openwrt is installed. (there are some weird reasons why we need this in the first place)
• flash openwrt via flashcp

i'm still finding a usable version of flashcp for the deco so ive been using a patch to the fw upgrade page that @naf419 and i formulated while testing but im not willing to give that currently as it may be... let's say unpredictable

if you'd like to test something it can be the bootloader mod!
you'll need to run the above exploit by naf (there should be usage instructions), then upload that to the deco's firmware upgrade page (192.168.68.1), then ssh into the deco (pass: letmeinbrudipls)
you can then run this shell script to check if the bootloader partition is as expected for the mod:

#!/bin/sh

# ignore at 0x6538F for 0x10 bytes (date)
dd if="/dev/mtd8" bs=4096 count=101 of=/tmp/sbl1.bin           # 0x65000
dd if="/dev/mtd8" bs=1 count=911 skip=413696 of=/tmp/sbl2.bin  # 0x0038F
dd if="/dev/mtd8" skip=415623 bs=1 count=2169 of=/tmp/sbl3.bin  # 0x6539F - 0x66000
dd if="/dev/mtd8" bs=4096 skip=102 of=/tmp/sbl4.bin # 0x66000 - end
cat /tmp/sbl1.bin /tmp/sbl2.bin /tmp/sbl3.bin /tmp/sbl4.bin > /tmp/sbl.bin
hash=$(md5sum "/tmp/sbl.bin" | awk '{print $1}')
[ $hash = "32394a7cff03a3bfb7ad75ed353e2cf8" ] || {
	echo "Error: failed to verify bootloader hash"
	exit 1
}

echo "hash is correct!"

should be 100% safe so far, cause the above is just a verification step. nothing written to flash yet

I can confirm I have 5x of Deco M4R v3 with firmware 1.6.1 and the exploit works and the hash is correct.

And I am keen to get OpenWRT onto all of them.

How can I help please?

If anyone want to try this, I was struggling a bit with the instructions, did not read everything fully the way I should have

1. Download the explot from naf as decribed above. OpenWrt support for TP-Link Deco M4R - #355 by caeklol
2. Upload the exploit via the devices firmware upgrade page. The IP address will vary depending on your deco. Norhing notable will happen, it will just upload the file and all will continue and it will look it succeeded but nothing special is visible.
3. Now SSH into the devices IP using port 2222, username 'root', password 'letmeinbrudipls'
4. Check bootloader signature as in OpenWrt support for TP-Link Deco M4R - #355 by caeklol

hello!

great! in that case, you can test the mod at your own risk
to generate the patched bootloader:

#!/bin/sh

echo "copying mtd8 to tmp"
dd if=/dev/mtd8 of=/tmp/mtd8.bin

echo "patching /tmp/mtd8.bin"
printf '\xcc\xb2' | dd of=/tmp/mtd8.bin bs=1 seek=70584 conv=notrunc # adjust length for later modifications
printf 'Really scrub this NAND flash? <y/N>\x0a\x00\x00\x00\x00sf probe &&sf read 0x84000000 0x1020000 0xfe0000 && \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | dd of=/tmp/mtd8.bin bs=1 seek=443320 conv=notrunc # hardcode loaded address to 0x84000000

echo "patched bootloader is at /tmp/mtd8.bin"

for safety, you can verify flash contents by extracting the modded bootloader (/tmp/mtd8.bin) via tftp (set up a tftp server, then use built-in tftp to put the file onto the tftp server) then uploading that here for verification

...
or if you like risk, you can just write the file to flash without verifying contents (dangerous and irreversible) and hope for the best:

mtd erase /dev/mtd8
mtd write /tmp/mtd8.bin /dev/mtd8

the bootloader mod shouldn't do anything by itself, you should be able to boot the regular firmware like normal but it will allow you to boot openwrt later on once i find a comfortable method to use to flash the firmware with

apologies for my phrasing! if you have any questions feel free to ask

Sweet, thanks.
First time I worked with TFTP. Worked okay after I figured it cannot create the file on windows. Doh.

One step after another.

But how to I attach the bootloader anywhere here?

Link to bootloader mtd8.bin:

apologies for the delay!

strange, i can't reproduce this. how might i ask is the script being run? is it just pasted to console via ssh?
if so, maybe try pressing enter after you paste? some consoles miss running a line after pasting

Ok, here's a new version:

/tmp # #!/bin/sh
/tmp # 
/tmp # echo "copying mtd8 to tmp"
copying mtd8 to tmp
/tmp # dd if=/dev/mtd8 of=/tmp/mtd8.bin
1024+0 records in
1024+0 records out
/tmp # 
/tmp # echo "patching /tmp/mtd8.bin"
patching /tmp/mtd8.bin
/tmp # printf '\xcc\xb2' | dd of=/tmp/mtd8.bin bs=1 seek=70584 conv=notrunc # adjust length for later modifications
2+0 records in
2+0 records out
/tmp # printf 'Really scrub this NAND flash? <y/N>\x0a\x00\x00\x00\x00sf probe &&sf read 0x84000000 0x1020000 0xfe0000 && \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | dd 
Really scrub this NAND flash? <y/N>
sf probe &&sf read 0x84000000 0x1020000 0xfe0000 && 0+1 records in
0+1 records out
/tmp # 
/tmp # echo "patched bootloader is at /tmp/mtd8.bin"
patched bootloader is at /tmp/mtd8.bin
/tmp #
/tmp # tftp -pl mtd8.bin 192.168.1.44
mtd8.bin             100% |***************************************************************************************************************************************************************************************************************************|   512k  0:00:00 ETA
/tmp # 

Are you sure about this part in your script?
I cannot figure out what this is supposed to be doing.