Hello OpenWRT guys,

Here is more info for TL-WDR4900 Chinese Ver.2.0 ( 6x External Antennas ), 2x USB ports
Photos and serial boot log after soldering the serial connector on board included!

Quick chip summary:
SoC QCA9558-AT4A build in 2.4GHz (serial connected to this one)
Winbond 25Q64FVS1G - 8M Flash - 8-pin SOIC 208-mil
2xH5PS5162GFA - 128M DDR RAM
AR9580-AR1A - 5GHz
AR8327N-AL1A - Switch

PSU - 100~240V/50-60Hz/500mA ; 12.0V/1500mA

U-Boot 1.1.4 (Jan 15 2013 - 15:09:34)

ap135 - Scorpion 1.0DRAM:  
sri
Scorpion 1.0
ath_ddr_initial_config(178): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x4, 0x1e)
Tap values = (0x11, 0x11, 0x11, 0x11)
128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

Serial console full boot log

Size of this router is twice the size of any router that I owned before! And the area coverage on both bands 2.4/5GHz is great!

Outside:

Inside:

Request: If someone get hands on TL-WDR4900 non Chinese version 1.0 ( 3x external antennas) I'd appreciate some more info (photos and TT data) about inside components? I know for sure the FLASH inside is 16M vs. 8M!

The only big disappointment about the TL-Link WDR4900 Ver.1.0 and 2.0 both Chinese and foreign version TP-LINK firmware: There is no option for "Guest WiFi network"

Happy hacking!

(Last edited by mveplus on 4 Feb 2013, 06:49)

Hmm, the "non-chinese" version is supposedly running a 800Mhz Freescale Semiconductor P1010 CPU. Along with different wireless PAs and configuration it's pretty much an entirely different unit.

Wish I could get hold of the Chinese version around here...

Can Poster run commands like:
cat /proc/cpuinfo
meminfo

I have to say that I do like the idea of three-way diversity on each of the bands. Looking at the great images provided, there appear to be both solder pads used by the existing antennas, as well as micro-SMA-like sockets for all six.

Interestingly, the board images above seem to be significantly different than those shown on the English-language "glossy" at http://www.tp-link.com/common/features/ … R4900.html

That glossy also indicates that (for the English-speaking market) there are three internal "patch" antennas for 2.4 GHz, and the rubber duckies are for the 5 GHz band. If there are internal connectors in the production version, that helps keep me from trying to find a reliable supplier of the Chinese-market version

(Last edited by jeffster on 6 Feb 2013, 23:26)

Looking at the PCB image, it looks a lot more like Murata SWD test points, than U.FL/ IPEX connectors usually used for pigtails.

does the chinese version's firmware support english language? i am living in china and considering buying this router.
if only chinese language, than i'd rather bring back non-chinese version from europe.

or can non-chinese firmware be flashed on the chinese version?

thanks for any info on this!

No, I can not log in and don't know the default password for TP-Link firmware if someone know it, and share it.
I'll post the result here...

No, it does not support neither have English, but all TP-Link's has the same structure and it's not hard for someone familiar with general router interface to figure it out even without knowing Chinese!

For the 2.4G band under the fat solder joints there is place for soldering (U.FL/ IPEX or Sunridge MC (Miniature Coaxial)) connectors as well! Just they saved them next HW revision may not have the (U.FL/ IPEX or Sunridge MC (Miniature Coaxial)) connectors 5G as well

(Last edited by mveplus on 24 Feb 2013, 06:12)

https://forum.openwrt.org/viewtopic.php?id=28728

http://websec.ca/advisories/view/root-s … ink-wdr740

Thank's for the links! But still not shell access...

So far these are no go:

root/5up
root/admin
root

"TL-WDR4900 login: ap71
login: no valid shadow password"

TL-WDR4900 login: Admin
login: no valid shadow password

No point to try "Admin/5up"

TL-WDR4900 login: adm
login: no valid shadow password

TL-WDR4900 login: admin
login: no valid shadow password

ap135/
ap135/5up

TL-WDR4900 login: operator
login: no valid shadow password

osteam/5up
osteam/

and a few other combination...

Looked some Chinese pages as well but still hit the wall...

More wisdom?

(Last edited by mveplus on 24 Feb 2013, 11:49)

How about tpl/5up?
I got this from the tp-link WDR-4900V1 fs
/etc/shadow

root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

/etc/passwd

[b]root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh[/b]
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

Looks like only root and Admin are valid users.

(Last edited by alphasparc on 26 Feb 2013, 03:26)

tpl/5up and only tpl/ no shell.  I'll look the shadow&passwd file to see what I have there...

Thanks!

Here is unsquashed bin form the official CN website:

user@ubuntu:~/rootfs/etc$ cat shadow 
root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::

user@ubuntu:~/rootfs/etc$ ls -lah passwd 
lrwxrwxrwx 1 root root 11 2013-02-26 22:36 passwd -> /tmp/passwd

unsquashed on-board BIN dump has the same content!

(Last edited by mveplus on 27 Feb 2013, 08:19)

any updates? i am will to donate $ for you to complete the firmare

This board is very similar to the tplink archer c7. I think it's just using a different chip that doesn't support wireless ac for 5ghz support. The best way to get this supported would be to send one of these to a dev or learn how to code

Please, try username=root, password=5up.

any luck of atleast having english menu for this router?

Trying to make a backup of original firmware of my TL-WDR7500, it looks quite similar with WDR4900.
Connected via serial, tried all known tplink password, but no luck.

Tried to unhash the shadow "$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/" with hashcat checked all 4 chars passwords but still no luck.

can you get root login from web gui?

https://forum.openwrt.org/viewtopic.php … 08#p190708

If you mean http://.../userRpmNatDebugRpm26525557/linux_cmdline.html I get only a error page in chineese that says something like Unauthorized

oh i thought good news ^ ^

This unit is almost identical to the Archer C7; in fact the only difference I have found is the 5GHz wireless chip (AR9580 vs QCA9880). It is possible to boot and run this device from the Archer C7 firmware or the ramimage provided by Ck-NoSFeRaTU for Archer C7 hackers, but without access to radio1.

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 00100000 00010000 "kernel"
mtd2: 006d0000 00010000 "rootfs"
mtd3: 00240000 00010000 "rootfs_data"
mtd4: 00010000 00010000 "art"
mtd5: 007d0000 00010000 "firmware"

# cat /proc/cpuinfo
system type             : Qualcomm Atheros QCA9558 rev 0
machine                 : TP-LINK Archer C7
processor               : 0
cpu model               : MIPS 74Kc V5.0
BogoMIPS                : 358.80
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0000, 0x0f68, 0x01f8, 0x0448]
isa                     : mips1 mips2 mips32r1 mips32r2
ASEs implemented        : mips16 dsp dsp2
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

One difference I noted in the bootlog, but it just seems to be more verbose info on the first GMAC coming up:

diff -abw CoolTerm_TL-WDR4900_040213.txt U-Boot_1.1.4_TL-WDR4900_20140206.txt
194a193,200
>
> Enet:1 port1 up
> 955x_GMAC: enet unit:1 is up...
> eth1  SGMII  1000Mbps  full duplex
> 955x_GMAC: qca955x_soc_gmac_set_mac_duplex
> 955x_GMAC: qca955x_soc_gmac_set_link Done
> 955x_GMAC: done cfg2 0x7215 ifctl 0x0 miictrl
> ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

I will be tinkering a bit more and let you know if I get anywhere.

Well, I've done some further digging and generally mucking about (sorry, I'm far from a professional at this part - just playing and willing to do possibly stupid things just to see if they work...).

First, it seems both qca9558 and my first analysis of this being quite similar to the Archer C7 board are only about 50% correct. It's more like the unholy missing link in between the 43x0 series and the C7 series. The good news is, this meant that bits and pieces from each worked, and since many key components remained the same, I was able to boot firmwares from both in a sort of half-working condition.

I presently have hacked together a new machine type for the 4900v2, with bits taken from both the C7 and 4300 machine types. It is working and bootable, though I have been flashing over serial and not sure if it can be done from stock (I believe stock firmwares are signed, and I don't think we can get at the keys to accomplish this).

More to come...

For anyone who may be interested, I have uploaded working firmware for the WDR4900 v2.0, as well as other relevant files for anyone who may want to produce their own builds. I have submitted the required patches to openwrt-devel but have not heard anything back, and I'm not sure it will ever be included.

You can find the relevant files here

And of course, a lengthy disclaimer to cover my precious backside:

All files are provided AS IS without any warranty expressed, implied, or otherwise misconstrued. Not responsible for direct, indirect, incidental or consequential damages resulting from any defect, error or failure to perform. This product is meant for educational or testing purposes only. Use only as directed. Subject to change without notice. Use constitutes acceptance of agreement. Any resemblance to real persons, living or dead is purely coincidental. Some assembly required. Do not use while operating a motor vehicle or heavy equipment. Avoid contact with skin. Contains a substantial amount of non-tobacco ingredients. Freshest if eaten before date on carton. No purchase necessary. Use only in well-ventilated area. Keep away from fire or flame. Not recommended for children. This supersedes all previous notices.

Patches have been merged (thanks Gabor Juhos!), and the TL-WDR4900 v2.0 is now supported in trunk since r39637.

tl-wdr4900-v2-squashfs-factory.bin
tl-wdr4900-v2-squashfs-sysupgrade.bin