WDR-3600 debrick using tftpd

Dear friends,

I bricked my WDR-3600 using the tl-wdr3600-v1-squashfs-sysupgrade.bin instead of tl-wdr3600-v1-squashfs-factory.bin. I am away from home and cannot use ttl to connect and flash again. Apparently, the device is booting. I hope to use tftp boot, but howto?

apt-get install --reinstall tftpd-hpa tftp-hpa
In /etc/defaut/tftpd-hpa
TFTP_OPTIONS="--secure -v"

Then I can read the log in /var/log/syslog
tftpd works.

Then what should I do?

Did you come across the documented tftp recovery procedure in the Wiki (https://wiki.openwrt.org/toh/tp-link/tl-wdr3600#tftp_auto_recovery_in_revision_15) ?

It might not work if your previous TP-Link stock firmware was not up-to-date enought to already include the TFTP recovery procedure. In that case only TTL will do AFAIK.

It worked very well using:

tcpdump -ni eth0 arp

ARP, Request who-has 192.168.0.66 tell 192.168.0.86, length 46

Then I installed tftpd on a computer with IP 192.168.0.66 and it uploaded the firmware.

Thanks!

By the way, I wonder wether this might be a vulnerability.

Anybody with physical access to a router can unplug, replug to a TFTP server and install a fresh distribution. Or if you are in a company, just connect to a RJ-45 plug, turn off the electricity and you might be able to break in the system ... All this could be automated with an attack software or a malware targeting all TP-Link devices around the planet.

Is this a message sent by bootloader or is it embedded in hardware?
Can bootloaded be replaced with Coreboot/uboot?

Edit: I found this project around uboot:

It claims the WDR3600v1 is supported...

uboot-mod is highly interesting ... It is not protected, but still a good starting point to hack. How do I automate installation from LEDE? OpenWRT claims to have u-boot-upgrade. Is it included in LEDE?

Edit : uboot modified versions can be downloaded from:
http://projects.dymacz.pl/?dir=u-boot_mod

/tmp# ./u-boot-upgrade

=================================================================
DISCLAIMER: you are using this script at your own risk!

 The author of U-Boot modification and this script takes
 no responsibility for any of the results of using them.

      Updating U-Boot is a very dangerous operation
    and may damage your device! You have been warned!

=================================================================
Are you sure you want to continue (type 'yes' or 'no')? yes

[ ok ] Found U-Boot image file: u-boot_mod__tp-link_tl-wdr3600__20170510__git_master-0c183583.bin
Do you want to use this file (type 'yes' or 'no')? yes
[ ok ] MD5 checksum of new U-Boot image file is correct
[ ok ] Backup of /dev/mtd0 successfully created
Do you want to store backup in /etc/u-boot_mod/backup/ (recommended, type 'yes' or 'no')? yes
[ ok ] Backup of /dev/mtd0 successfully copied to /etc/u-boot_mod/backup/
[ ok ] New U-Boot image successfully combined with backup file
[info] New U-Boot image is ready to be written into FLASH
Are you sure you want to continue (type 'yes' or 'no')? yes
[erro] FATAL ERROR: could not write new U-Boot image into FLASH
[erro] DO NOT RESET YOUR DEVICE NOW AND TRY AGAIN!

ls -lh /dev/mtd0
crw------- 1 root root 90, 0 Jan 1 1970 /dev/mtd0

can be writtent but apparently is read-only.

/dev/mtd0 was not updated.

I am starting a new thread, please don't answer here.