Dear friends,
I bricked my WDR-3600 using the tl-wdr3600-v1-squashfs-sysupgrade.bin instead of tl-wdr3600-v1-squashfs-factory.bin. I am away from home and cannot use ttl to connect and flash again. Apparently, the device is booting. I hope to use tftp boot, but howto?
apt-get install --reinstall tftpd-hpa tftp-hpa
In /etc/defaut/tftpd-hpa
TFTP_OPTIONS="--secure -v"
Then I can read the log in /var/log/syslog
tftpd works.
Then what should I do?
Did you come across the documented tftp recovery procedure in the Wiki (https://wiki.openwrt.org/toh/tp-link/tl-wdr3600#tftp_auto_recovery_in_revision_15) ?
It might not work if your previous TP-Link stock firmware was not up-to-date enought to already include the TFTP recovery procedure. In that case only TTL will do AFAIK.
It worked very well using:
ARP, Request who-has 192.168.0.66 tell 192.168.0.86, length 46
Then I installed tftpd on a computer with IP 192.168.0.66 and it uploaded the firmware.
Thanks!
By the way, I wonder wether this might be a vulnerability.
Anybody with physical access to a router can unplug, replug to a TFTP server and install a fresh distribution. Or if you are in a company, just connect to a RJ-45 plug, turn off the electricity and you might be able to break in the system ... All this could be automated with an attack software or a malware targeting all TP-Link devices around the planet.
Is this a message sent by bootloader or is it embedded in hardware?
Can bootloaded be replaced with Coreboot/uboot?
Edit: I found this project around uboot:
It claims the WDR3600v1 is supported...
uboot-mod is highly interesting ... It is not protected, but still a good starting point to hack. How do I automate installation from LEDE? OpenWRT claims to have u-boot-upgrade. Is it included in LEDE?
Edit : uboot modified versions can be downloaded from:
http://projects.dymacz.pl/?dir=u-boot_mod
/tmp# ./u-boot-upgrade
=================================================================
DISCLAIMER: you are using this script at your own risk!
The author of U-Boot modification and this script takes
no responsibility for any of the results of using them.
Updating U-Boot is a very dangerous operation
and may damage your device! You have been warned!
[ ok ] Found U-Boot image file: u-boot_mod__tp-link_tl-wdr3600__20170510__git_master-0c183583.bin
Do you want to use this file (type 'yes' or 'no')? yes
[ ok ] MD5 checksum of new U-Boot image file is correct
[ ok ] Backup of /dev/mtd0 successfully created
Do you want to store backup in /etc/u-boot_mod/backup/ (recommended, type 'yes' or 'no')? yes
[ ok ] Backup of /dev/mtd0 successfully copied to /etc/u-boot_mod/backup/
[ ok ] New U-Boot image successfully combined with backup file
[info] New U-Boot image is ready to be written into FLASH
Are you sure you want to continue (type 'yes' or 'no')? yes
[erro] FATAL ERROR: could not write new U-Boot image into FLASH
[erro] DO NOT RESET YOUR DEVICE NOW AND TRY AGAIN!
ls -lh /dev/mtd0
crw------- 1 root root 90, 0 Jan 1 1970 /dev/mtd0
can be writtent but apparently is read-only.
/dev/mtd0 was not updated.
I am starting a new thread, please don't answer here.
I wrote a program that converts the file so that it will fit here is a link to it. The output file is named out.bin
Tp-link firmware Cutter