Replacing firmware when password not known

PaulWebster · February 1, 2023, 12:19pm

Hello,

I've picked up a commerical device that is a badged and old TP-Link router/WAP.
I cannot access their web interface because it is password protected (which is fine) - because all I want to do is completely replace their firmware and configuration.
I can see from their web login prompt that it appears to be running OpenWrt - and I suspect it is from somewhere around release 14.
I managed to get it into "failsafe" mode - but telnet access prompts for a failsafe password (which is probably good for them to have done with a commercial device) which I don't know (tried some obvious ones).
It comes up on 192.168.1.1 in failsafe - and 192.168.50.1 in regular boot.

Is there a chance that tftp to the device and an upload of the factory firmware (which I have removed the "boot" header from) will work?
I have tried but am not seeing it requesting as tftp client and I did not get a response when I tried to act as a client to the device tftp server (if it has one).
If yes - would that have to be in failsafe mode or could it work during boot in "normal" mode?
Is timing critical in both?
In failsafe I have very fast flickering light and can reliably ping it for a long time.

Te device is an old TL-MR3020 V1.9 - and I don't want to say who the badged version is from (at least not at this moment in time) because I have also reached out to them to see if they will help and I do not see mentions on web about them using it.

ulmwind · February 1, 2023, 12:28pm

It is 4x32 device, get rid of it.

"Reset" button serves to reset password.

frollic · February 1, 2023, 12:28pm

you might need serial console access, for TFTP boot, but I agree with @ulmwind, it's too old.

PaulWebster · February 1, 2023, 1:39pm

I like the idea of having a small travel router and it only cost me around 5USD with shipping … so I am keen to try a bit more - even with the limitations especially as the commercial organisation appears to have already put OpenWrt on it.

As far as I can see, there is only one external button plus the slider. Using them I can get it into failsafe mode but I don’t think it has reset any passwords.

When in “failsafe” with a regular OpenWrt (v14) is the failsafe prompt to login coming from OpenWrt or is it some vestige of the manufacturer’s firmware?

frollic · February 1, 2023, 1:40pm

in regular openwrt, failsafe isn't password protected.

PaulWebster · February 1, 2023, 1:55pm

I do realise that.
But is it (likely that) it is OpenWrt that is prompting for it (via a password being set in the configuration of OpenWrt) rather than a vestige?
In other words … if it is OpenWrt doing it then I feel that I do have a chance of getting in once I can find out if tftp is really possible when this happens.

frollic · February 1, 2023, 1:58pm

it's probably something coming from the vendors modification of stock openwrt,
I'd expect it to disappear once you've managed to flash vanilla openwrt.

PaulWebster · February 1, 2023, 2:09pm

This old post shows how to set it

In “normal” OpenWrt failsafe … is OpenWrt operating as tftp client or as server? I thought Server but I can’t get a response.

frollic · February 1, 2023, 2:26pm

Openwrt doesn't do the tftp recovery, the boot loader does, (in most cases) it'd pull the
image from a TFTP server.

But you need to figure out the IP it's trying to DL from, and the file name.
If you figure out the 1st, the 2nd will solve itself.

It'll also become clear, if you attach the serial console.

Wireshark is a good tool for sniffing traffic coming from the router.

twinkleLED · February 1, 2023, 2:29pm

The tl-mr3020 V3 is fine for modern OpenWrt. 8/64

If you have to buy a new travel router, the GL Inet Mango v2 is great and cheap. There is a LAN ethernet port which can be super convenient. I've retired my old mr3020 and use this now.

frollic · February 1, 2023, 2:31pm

wrong thread ?

btw, 8/64 devices will be out of support after next stable release.

twinkleLED · February 1, 2023, 2:39pm

The Mango v2 may be an appropriate $30 alternative for the OP if it turns out it is too much work to get into their nice MR3020.

Unfortunate to hear that the specs for the next stable release have been boosted again. I missed that discussion apparently.

PaulWebster · February 1, 2023, 2:41pm

Thanks - I'll try with Wireshark to see if I can see what (if anything) it is asking for.

frollic · February 1, 2023, 2:42pm

guess you didn't get the memo

that is assuming you can trigger the tftp recovery without serial console, the wiki
wasn't sure it'd be possible.

PaulWebster · February 2, 2023, 5:40pm

I’m in via serial port (made a mess of the case lid doing it).

I’ll update later with success or not.

PaulWebster · February 5, 2023, 1:10pm

Success - I now have it back to factory firmware with Linksys default password.
Serial->USB
tpl
tftpboot
erase
cp.b
bootm
All with appropriate parameters

Wireshark did not show activity so it took me a while to work out IPs to use … but “printenv” showed its IP address and where it expected to find tftp server.

I will leave it at that for a while but might still try old OpenWrt just for fun.

tmomas · February 6, 2023, 9:57am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · February 16, 2023, 9:57am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.