I recently had to recover from a bad flash on a TL-WR841N. Router was stuck in a boot loop.
To recover I used TFTP to install the factory image with the first 512bytes stripped (0x200) - it worked.
It was actually the OpenWRT TFTP recovery page for the Archer C50 where I got the information to strip the first 200 hex blocks in order to get the firmware to take.
Before I found that useful page, I used binwalk to analyse the factory firmware. 0x200 was not mentioned anywhere in the binwalk output.
My question is; in future how I can know how much of the firmware needs to be stripped to recover over TFTP?
1 Like
That was the first article I used, it didn’t work. It actually says to strip the first 0x20200 blocks.
I was at the stage of ‘I’ll try anything now’ when I tried stripping only the first 0x200 blocks.
How can one know how much needs to be stripped if there is no clue in the router’s serial output and no clue in the binwalk output? Is there another way to find out?
- Am I clear in understanding that you found an instruction manual that told you 0x200, correct?
That would be the answer to your question - the Wiki. Otherwise, only the OEM could hazard that guess - as this is OpenWrt.
Regarding Binwalk, you could have used a hex editor, if you knew what you were looking for.
Perhaps you think this is common with other routers, it isn't. I've never had to strip a firmware on any other device. To answer you directly, the Wiki will tell you.
1 Like
Thanks for taking the time, to both of you that posted.
Am I clear in understanding that you found an instruction manual that told you 0x200, correct?
My router is WR841N, I found the reference to stripping 200 blocks in the Archer 50 wiki, a totally different router.
After trying stripping other amounts that I had read about, for example the WR841N wiki says to strip the first 20200 blocks, I had nothing to loose, the router was already a paperweight. Anyway, stripping the first 200 worked.
Regarding Binwalk, you could have used a hex editor, if you knew what you were looking for.
I did use a hex editor, I used XVI32. Knowing what to look for in that hex file was the basis of this post, but it looks like there is no answer to that original question.
Recovering this router for me was a matter of me being too stubborn to quit. The value of the router is nowhere near worth the time I put into recovering it. I just have a genuine interest in this kind of thing.
I was messing around trying to get a version of OpenWRT on this as yet unsupported router. Maybe not the place to post this, but I will be infinitely helpful for anyone searching for a solution to this problem, so here it is: If your TL-WR841N v14 is in a boot loop after a botched firmware install, this is how to fix it:
-
Download the firmware file for your router from tp-link website. At this time, you can change the language of the firmware if you want, for example, my router is the TW version, with traditional Chinese interface. I downloaded the US version of the FW, now the interface is in English.
-
Rename the fw file you just downloaded to 'tp_recovery.bin'.
-
Use your hex editor to delete the first 200 blocks of the file 'tp_recovery.bin'.
I used XVI32. From the menu; edit>blocks n chars>hexadecimal>$200>ok... edit>block delete... file>save.
-
Set the wired IP address of your computer to 192.168.0.66 - this is the address that the router is looking for a TFTP server on. I found this address with wireshark (I also found that the router was looking for a file called 'tp_recovery.bin' with wireshark).
-
Use your TFTP program of choice, set it up to be on 192.168.0.66, and put the 'tp_recovery.bin' file where it needs to be.
-
Connect a LAN port of the router to your computer's Ethernet port.
-
hold the 'reset' button on the router and apply power, hold the button down for around 8 seconds. This puts the router into TFTP mode, where it will look for the recovery file on TFTP sever 192.168.0.66. The file should send over TFTP from your pc and your router should now reboot and be back to working.
-
If you want to see what's going on during the recovery process, you can hook up to the routers serial port. This isn't required, but I just like to see what's going on during the process.
1 Like
Can you add this to the Wiki?
1 Like
Thanks Man!
You save my times. After trying more than 12hours to unbrick my router, i already have lost my hope. At last i found your solution and it works like charm. Thank you very much.
1 Like
