Support for DIR-842 rev: C1

For Developers
1

https://wikidevi.com/wiki/D-Link_DIR-842_rev_C1
Based on QCA9563+QCA9888

Hello, after permanently bricking the wifi calibration partition on my ac58u it became useless so I found this router for cheap at a local store: D-Link DIR-842 rev C1.
It's a good little router, wifi works at nearly the same speed, ipv6 works okay with it's proprietary software, pppoe traffic is slightly limited at 870 mbps out of the possible 980 mbps but it's okay. However I'm missing OpenWrt's more advanced features.

I'm trying to disassemble the router to look for jtag connectors. Under the label there are two holes but they have solid metal underneath, no screws. Tried to press it with a screwdriver and it didn't work. No other screws on the case. how do I take it apart?

1.jpg1067×800

2.jpg1065×800

2

Go gently with a large drill bit....

or

Butane torch em / large tip high head solder iron for a few secs and pry open..... Use an old can/tin to shield surrounding areas...... Fridge it for 10mins prior for a lil more protection...

Option 1 is the most foolproof..... option 2 has potential for a cleaner result / reassembly with existing structural elements...... albeit at greater risk.....

If your patient, an exacto / box cutter around the outside of the rivets will also work... but few would have the patience and dexterity.......

Hot glue will reseal if things get messy.... use some on the inside corners as well.....

I'd go with option 1 if I owned it. Option 2 if doing for someone else...

3

Thanks, I got it open, using the second option, melting the outside of the rivet then prying open the case. Unfortunately also creating many scratches in the process :slight_smile:

Is the jtag connector the one on the left of the power switch?

4 new photos by Alexandru Stan
4

Good job!

In your second pic JP1 with a multimeter.....

Square appears to be ground
Circle closest to square is V+

5

Perfect! So the jtag is identical to the dir-825

I tried hooking them up right now but my old chinese jtag thingy died. I'll have to find some people at a mobile repair shop who have another one. Possibly today or tomorrow.

Essentially what does the community need? Dumping the entire flash memory? I haven't worked on routers before.

Can I have a more foolproof guide, on what is needed to develop on this.

Edit: Hmm that arrangement seems correct. So center circle GND, end circle TX, circle next to square RX, and JP1 square is 3.3V. Got that noted, I'll try when I find a jtag.

Edit2: So if I understand correctly, in order to help you guys I will need to do a simple hex dump of the entire flash using OpenOCD/URJTAG? Because I'll use somebody else's jtag tool so I won't be able to keep it for long to do debugging.

6

Very similar to this;

D-Link DIR-859 rev A1
( and netgear and EA .... )

Noteably;
^ Has "WI2 chip1: Qualcomm Atheros QCA9880-BR4A"

And your supposedly has;
" WI2 chip1: Qualcomm Atheros QCA9888"

So you might need to use the image builder... or the buildroot to mess around abit.

But it seems your in luck. :slight_smile:

Foolproof guide is counter modworthy. But i'll help break it down a little.....

-Hardware support ( check )
https://openwrt.org/packages/pkgdata/ath10k-firmware-qca9888

-Flash size / chip TBA

-Get a serial bootlog.... and i'm pretty sure in your case she should run rather smoothly.....

**-Grab the imagebuilder and run through a guide at building the 859-firmware.......

Do not flash it - although there is a medium probability of success - non damage.... medium VS brick is not good enough**

-Hunt around / wait for a more specific response here about firmware formats across those devices.

I'm pretty surprised there weren't more hits on it / existing docs going by initial pokings around. So there is a good chance some here has some better specifics.

I am happy to build firmware for you if you need it / fancy stuff as the software side is a bit overwhelming at first.

7

I'm very glad this is compatible. Thank you so much! It'll be great if you could attempt a build for it. And about bricking no worries, it's a cheap router. And actually, although cheap, it's hardware might be able to support 80+80/160MHz channel/2600mbps, a feature on routers three times as expensive.

//Edit: Nevermind, I found another dirt-cheap USB UART thingy that has 3.3v support, will pick it up tomorrow. It should be compatible. If it works OK, I am open to any testing!

8

Small problem, I might be dumb.
I got the little USB UART thingy. I determined the pinout on the router. Testing the USB UART device by shorting TX with RX and sending something works, I receive that text back.

But connecting GND and RX to the router results in... [00] I even tried connecting the extra TX and 3.3v pins to no avail.

Do I need a resistor?

9

Nevermind, I mixed up the data pins. :slight_smile:

Bootlog: https://pastebin.com/pQMEu3aM

(character limit, had to use pastebin. The beginning is some scrambled text but then looks ok, it shows the partition table and every part of the boot sequence)

@anon50098793

For easy reading, here's the partition table again:

[    0.590000] m25p80 spi0.0: mx25l12805d (16384 Kbytes)
[    0.590000] 8 cmdlinepart partitions found on MTD device spi0.0
[    0.600000] spi0.0: the flash image has SEAMA header
[    0.610000] spi0.0: squashfs filesystem found at offset 0x001b0060
[    0.610000] Creating 9 MTD partitions on "spi0.0":
[    0.620000] 0x000000000000-0x000000040000 : "u-boot"
[    0.620000] 0x000000040000-0x000000050000 : "u-boot-env"
[    0.630000] 0x000000050000-0x000000060000 : "devdata"
[    0.640000] 0x000000060000-0x000000070000 : "devconf"
[    0.640000] 0x000000070000-0x000000080000 : "misc"
[    0.650000] 0x000000080000-0x000000fd0000 : "upgrade"
[    0.660000] 0x000000fd0000-0x000000fe0000 : "art"
[    0.660000] 0x0000001b0060-0x000000adc060 : "rootfs"
[    0.670000] mtd: partition "rootfs" set to be root filesystem
10

Would it be possible that you close the browser window next time? I'm very interested in seeing what's on other peoples desktops, and their background images too.

If you don't like other people seeing your desktop, maybe you should just post a screenshot of the relevant window, instead of showing your whole desktop.

scnr.

11

I removed the picture altogether, it was a bit confusing too, drawn attention away from the main thing :slight_smile:
My backgrounds are taken from: https://unsplash.com/ :stuck_out_tongue:

1 Like
12

Can you also pastebin the uboot command

printenv

Loading and initramfs image from usb or tftp will be safer.

Need to find out what commands / filesystem ( ext2 / fat ) / and load memory addresses to make that work.

13

When do I run it? I tried to send it as soon as powered on but the bootlog still didn't change. It appears to be locked.

Does that require actual JTAG instead of UART?

Or do I need to enter the router in a special boot mode?

Is the stock firmware upgrade image of any help? ftp://ftp2.dlink.com/PRODUCTS/DIR-842/REVC/DIR-842_REVC_FIRMWARE_v3.10B05.zip. I could open the "middle" upgrade bin in 7-Zip and it has pretty much Linux firmware with some files even taken from OpenWrt. The final bin can't be opened and requires Binwalk. Let me check.

Capture

14

Any news, anyone working on this?
I am willing to mail the device to someone in Europe if that helps, I don't care much about things and I tore it apart anyway, if I can help with that I'll go ahead :slight_smile:

15

By JTAG you mean serial interface.

1 Like
16

Yeah I confused them at first. It's serial interface I'm doing right now.

How do I send the printenv command to it? Is it OEM locked if it sends no answer?

1 Like
17

The bootlog you put on pastebin seems to throw out some garbage earlyboot ( uboot )

So, either it's some sort of obfuscation i'm not familiar with or you'd need to have your serial device on another setting ( common cause of scrambling then unscrambling ) during the early boot stage to interrupt ( if it's possible - most are )

Search up on your device..... re: bootloader baud changes and interrupt key sequences.

( next common one to try would be 38xxx whatever it is..... and then 56xxx )

1 Like
18

Hmm indeed that was the problem. I played around a bit with baud rate and data bits, now the beginning is descrambled!

https://pastebin.com/hupWXj0d

There are these lines saying this:

Hit any key to stop autoboot:  0
Reset button released

And serial connection info

[    0.000000] Kernel command line: board=AP152 console=ttyS0,115200 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env),64k(devdata),64k(devconf),64k(misc),15680k(upgrade),64k(art),16m@0(rootfs)ro root=/dev/mtdblock7 init=/sbin/init noinitrd crashkernel=10M@20M

Very curious. Let's see if I manage to intrerupt the bootloader.

Edit: Haha it doesn't want to be interrupted with a hardware key :smiley: I will need to figure out the serial command

Hit any key to stop autoboot:  0 
Reset button released
## Booting image at 9f080040 ...
1 Like
19

D-Link normally disables input from serial console. You can only see the output from there. no commands are possible.

1 Like
20

Oh, I understood. This is why it wasn't accepting any sort of command.

Anyway, now the descrambled part of the bootlog is showing some memory addresses and more filesystem info. Is it of enough help for at least some test builds?