SPI Flash dump needed for unbricking (TL-WR741ND v1)

jkristof94 · April 7, 2018, 8:38pm

Hi!

Some time ago I successfully flashed a wrong image to my beloved TL-WR741ND v1. The router would not boot from then on and the serial port was not active either. Then to make the situation worse, I wrote a factory image directly to the SPI flash chip and the rest is history

I came here to request a dump of someones SPI flash chip if you could do it somehow so I can write it directly into my flash.

Thank you in advance

mk24 · April 7, 2018, 8:52pm

Get the official TP-Link firmware from their website. Remove the first 512 bytes. BInwalk it and you should see the first part is a lzma compressed U-Boot followed by the lzma stock firmware kernel at 0x20000 . Write the image (without the first 512 bytes) to the flash chip. Be careful to back up the ART (last 64k of the flash chip), if it isn't already gone.

This should at least boot and give you something on the serial port.

jkristof94 · April 7, 2018, 8:54pm

This sounds interesting, thank you. What should I use the ART for? Should I bake it in to the factory image and pad it to 4MB?

mk24 · April 7, 2018, 9:04pm

You can place the ART in the flash with SPI programmer, or you can use OpenWrt to write it later. Router will still boot up without ART but wifi will not work.

jkristof94 · April 7, 2018, 9:12pm

I will check it out tomorrow, thank you.

jkristof94 · April 8, 2018, 4:26pm

Tried it with the first 512 bytes removed but no luck unfortunately Any other suggestions?

mk24 · April 8, 2018, 4:45pm

Did you check with binwalk that there really was a bootloader in the file?

A bootloader starts rather distinctively with a vector table, which is a kB of stuff like this:

00000000: 1000 00ff 0000 0000 1000 00fd 0000 0000  ................
00000010: 1000 01ac 0000 0000 1000 01aa 0000 0000  ................
00000020: 1000 01a8 0000 0000 1000 01a6 0000 0000  ................
00000030: 1000 01a4 0000 0000 1000 01a2 0000 0000  ................
00000040: 1000 01a0 0000 0000 1000 019e 0000 0000  ................

This is what should be stored at the first location in the flash chip.

jkristof94 · April 8, 2018, 5:40pm

After stripping the first 512 bytes from the image, this is what the original image from the TP-Link website looks like.

But I can find what you are referring to, in the SPI dump of the old firmware that does not work. Is it possible to somehow extract the downloaded LEDE image and write it to the flash in bootable form?

mk24 · April 8, 2018, 6:28pm

It seems the TP-Link firmware image does not include the bootloader. Most do but some do not. You have the kernel header instead, which is what a "stripped" image with no bootloader starts with.

If you had the bootloader in the first 128k it should come up to a bootloader prompt on the serial, no matter what is in the rest of the flash.

You can put the LEDE sysupgrade (not factory) in flash immediately after the bootloader and it should boot to LEDE.

jkristof94 · April 8, 2018, 6:59pm

Can I get the bootloader from the factory or sysupgrade image too?

mk24 · April 8, 2018, 7:13pm

No, OpenWrt doesn't include bootloaders. It assumes the factory one is there.

There is pepe2k's project, but he doesn't have a build for your chip (AR7240).

I don't have a WR741v1 but I do have a MR3420v1 which is likely similar enough.

jkristof94 · April 8, 2018, 9:41pm

I have found a U-Boot part in a TP-Link firmware for the v5 will check back soon.

bkil · August 23, 2018, 7:32pm

Unfortunately, v5 is a completely different chipset compared to v1. v1 and v2 is very similar, as the download link is shared. v3 shouldn't be too far either. u-boot for TL-WR740N v1/2/(3) should also work. TL-WR743 v1 and TL-WA730RE v1 may also be close enough lacking the former.

If you can't find any of them, do reach out to me and I'll try to extract one.

jkristof94 · August 23, 2018, 8:43pm

I happen to have a TL-WR740N so I might as well try to dump that and use it on the 741 but that is also one of the newer ones. Will report back as soon as I have time and thanks for bumping this thread

bkil · August 23, 2018, 10:07pm

First back up the whole flash chip to a file. Double check whether the ART partition (the last 64kB) contains a few dozen bytes at the beginning, and it is not 0xFF. If it is blank (all 0xFF), you can grab an ART from here (not a very good solution), either a 741v2 or a 743v1 one:

You can grab a 741v1 boot loader from here:

The final 4096KiB ROM image is produced by concatenating the 128KiB u-boot, OpenWrt, some blank space as 0xFF, and then finally the 64KiB ART.

jkristof94 · August 28, 2018, 6:18pm

I think I have the ART saved somewhere so I can use it on the dump. If not I will use the ones from the websites

bkil · December 7, 2018, 10:09pm

P.S.: don't forget to adjust the configuration bytes at the end of u-boot. It contains your MAC address, WPS PIN and model number (if changed).

Vic · May 16, 2021, 8:04pm

Greetings:
I have similar problem. I flash my TL-WR741ND v4.21 with a spi programmer and his proper openwrt image. It didn't work . How can i solve it? I'd like to flash it with openwrt using a spi programmer.