[Solved] WR841n with upgraded flash - Ok on Openwrt - bricked on LEDE

Hi,

My question is: is there any reason why OpenWRT or official firmware are running OK with a flash mod and not LEDE? Does LEDE check the flash chip model at boot?

As you can notice, I did a lot of attempts and searches before posting here. Any help would be much appreciated.


Background/goal:
I have two routers at home with 16MB/flash and 128 MB/Ram (Wndr3700v5 (main router)+ GL Mini 300a (ap only)): both are running LEDE 17.01.4. I wanted to expand my network and I bought WDR841n v11 to be an AP. I knew about the 432 warnings but I thought it was enough for an AP only (no dns, no dhcp).

I realized it was really impossible to install anything with 4 MB flash and I then decided to upgrade the flash chip from 4MB to 16MB. However, every attempt to install LEDE fails (router bricked after upgrade) while some other firmwares are OK.


Hardware:

  • Official flash chip: Spansion FL032PIF source
  • Replacement flash chip: Winbond 25q128 (bought on AliExpress)
    To transfer from one chip to another, I've used a CH341a black edition and I've always done a full check (verify) after the program.

Note:
the only hard mod I've done is the flash chip, I've tried some tests with firmware of WR841N v10 because, according to forum, build from v10 should work on v11 (main difference between versions was the switch from Winbond(v10) to Spansion (v11)


These are all tests I've done:
Original flash chip:

  • Install original firmware (TPLINK) on flash 4MB: OK
  • Install LEDE 17.1.04 WR841Nv11 on flash 4MB: OK

Replacement flash chip:

  • Dump original firmware from flash 4MB: OK
  • Dump LEDE 17.1.04 WR841Nv11 from flash 4MB: KO (bricked)
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to Openwrt snapshot: OK
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to Openwrt Chaos calmer of WR841N v10(header modified): OK
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to LEDE 17.1.04 WR841Nv11: KO (bricked)
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to LEDE 17.1.03 WR841Nv11: KO (bricked)
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to LEDE 17.1.02 WR841Nv11: KO (bricked)
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to LEDE 17.1.01 WR841Nv11: KO (bricked)
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to LEDE 17.1.04 WR841Nv10(header modified): KO (bricked)
  • Dump original firmware from flash 4MB, boot, build my own firmware of LEDE 17.1.04 WR841Nv11 (make, not imagebuilder) by setting target to 16MB: KO (bricked)
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to Openwrt Snapshot (OK) and then, sysupgrade to LEDE 17.1.04: KO (bricked)
  • Dump original firmware from flash 4MB, boot and then, upgrade firmware to Openwrt Snapshot (OK) and then, sysupgrade to Openwrt Chaos calmer of WR841N v10(header modified): OK

Pure guess, but you might check that the flash size mod has been done to the right place in the source code.

You mentioned nothing about how you have adjusted the source for a bigger flash.

Typically the flash size is defined in the source. And the partition table may also require modification.

What does serial console say about flash size detection during the boot process?

Thanks for the reply.

For the source, I've done the steps described in this post => target/linux/ar71xx/image/tp-link.mk - set $(Device/tplink-16mlzma) for WR841n and then, make. My understanding of your reply is that I should have a look of the source code : probably not the .mk file. I don't know so much about LEDE source code.

Don't know how to do serial console, so, no log :frowning: Maybe, I should investigate on how to plug to serial but for the moment, I don't find a good "how to start" on this topic. I have a FTDI 232RL USB TTL Serial Adapter Converter at home, is it OK?

This is the section I've modified: link to source. I've changed $(Device/tplink-4mlzma) to $(Device/tplink-16mlzma)

I have exactly the same setup with a v11.1 TL-WR841N(US) and W25Q128 chip upgrade. I can confirm 100% that 17.01.2 works. I would think all the other versions work too.

Prepare the new flash chip as follows:
First 128kB: Bootloader from the first 128kB of the original chip
Immediately afterward: LEDE sysupgrade.bin image. Not a factory image.
(There is blank space here which may contain zeros or FF or almost anything. it will be overwritten during the first boot.)
Last 64kB: ART data from the last 64k of the original chip

LEDE and later versions of OpenWrt dynamically partition the chip for most TP-Link models including this one. You can flash an unmodified release build and it will find the extra space. There is no need to modify source code or re-compile.

The ART goes in the last 64k block of the chip no matter what the chip size.

The first boot of a 16MB chip will take about 2 minutes to format the JFFS filesystem before it comes on line. During this time the power LED will be blinking slowly.

The original bootloader is hard-coded so it can only write the first 4M of the chip. This isn't a serious limitation in practice but something to be aware of.

1 Like

mk24, thanks (Thank you for giving me confirmation that this setup should work :)). I could try that but I'm skeptical about the proposal (maybe because of my lack of knowledge in the sysupgrade process)

My skepticism: the chip is working fine when upgrading to openwrt: why lede would be different? I guess sysupgrade command is just writing the part between the bootloader and the ART. Is that correct?

What firmware are you initially placing in the new chip?

I would use the CH341 to write LEDE directly, then install that chip and boot it. The regular sysupgrade process will work to upgrade to later versions of LEDE.

Yes, running sysupgrade writes the image byte for byte at the start of the flash partition "firmware" which is everything between the bootloader and the ART. You can do the same thing with a chip programmer.

The one I initially place is a dump of the original flash chip (4MB) with the official tplink firmware (and it works with the new chip, it boots).

So, let's call this dump "original_dump.bin". To create the bin you describe, are the following commands OK?

$ head -c $(( 128 * 1024 )) original_dump.bin > original_bootloader.bin
$ tail -c $(( 64 * 1024 )) original_dump.bin > original_art_data.bin
$ cat original_bootloader.bin lede-17.01.4-ar71xx-generic-tl-wr841-v11-squashfs-sysupgrade.bin original_art_data.bin > firmware.bin

Then, I should just program the new flash chip with this firmware (using the CH341a), right?

The last step using cat won't work, it doesn't fill in the blank space between the end of the firmware and the ART. But that is the overall concept.

You could use dd to put zeros at the end of the file to fill out the firmware to a size of 16M - 384k

Got it. Will try that this week and let you know.

Unfortunately, by removing the chip, one of the branch has been broken. I've just ordered new one on AliExpress but there's a delay of few weeks. I'll update this thread once I have the new ones.

Hi,

It took more time than expected to get the new chips but it works. Thanks a lot mk24 and hnyman!

Alexandre

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.