OpenWrt Forum Archive

Topic: Finally firmware recovery mode under U-Boot in TP-Link routers

The content of this topic has been archived on 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

It seems that new version of TP-Link's firmware for TL-WDR4300 (TL-WDR4300_V1_130617) contains an U-Boot with hidden firmware recovery mode (TFTP).

Here is a fragment of boot log (router was powered on with WPS/Reset button pushed in):

U-Boot 1.1.4 (Jun 17 2013 - 12:31:57)

U-boot DB120


DRAM:  128 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

PCIe Reset OK!!!!!!
In:    serial
Out:   serial
Err:   serial
Net:   ag934x_enet_initialize...
No valid address in Flash. Using fixed address
 wasp  reset mask:c03300 
WASP  ----> S17 PHY *
: cfg1 0x7 cfg2 0x7114
eth0: ba:be:fa:ce:08:41
athrs17_reg_init: complete
eth0 up
eth0
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Filename 'wdr4300v1_tp_recovery.bin'.
Load address: 0x80060000
Loading: T T

More information can be found here:
http://forum.ixbt.com/topic.cgi?id=14:59307:610#609 (RU)
http://eko.one.pl/forum/viewtopic.php?id=6953 (PL)
http://openrouter.info/forum/viewtopic. … mp;p=30991 (PL)

Some time ago I found similar recovery mode in TP-Link's GPL sources for WR710N, in main.c file, but the official image doesn't have it (probable due to missing FIRMWARE_RECOVERY definition):

#ifdef FIRMWARE_RECOVERY

#define ORG_FILE_BASE 0x9F020000
#define ORG_PRODUCT_ID_POS (ORG_FILE_BASE + 0x40)
#define ORG_PRODUCT_VER_POS (ORG_FILE_BASE + 0x44)
         
#define UP_FILE_BASE 0x80800000
#define UP_PRODUCT_ID_POS (UP_FILE_BASE + 0x40)
#define UP_PRODUCT_VER_POS (UP_FILE_BASE + 0x44)
#define PRODUCT_ID_VER_LEN 4

      int is_auto_upload_firmware = 0;
      unsigned int original_product_id;   
      unsigned int original_product_ver;   
      unsigned int recovery_product_id;
      unsigned int recovery_product_ver;   
   
      ar7240_auf_gpio_init();
      is_auto_upload_firmware = ar7240_is_rst_btn_pressed();

      printf("auto update firmware: is_auto_upload_firmware = %d!\n", is_auto_upload_firmware);

      if (is_auto_upload_firmware)
      {      
         ar7240_wps_led_on();
         
         /* wait for ethernet config done. */
         udelay(2000*1000);
         
         run_command("setenv serverip 192.168.0.66", 0);
         run_command("setenv ipaddr 192.168.0.86", 0);
         
         run_command("tftp 80800000 wr741ndv4_tp_recovery.bin", 0);
   
         memcpy(&original_product_id, ORG_PRODUCT_ID_POS, PRODUCT_ID_VER_LEN);
         memcpy(&original_product_ver, ORG_PRODUCT_VER_POS, PRODUCT_ID_VER_LEN);
         
         memcpy(&recovery_product_id, UP_PRODUCT_ID_POS, PRODUCT_ID_VER_LEN);
         memcpy(&recovery_product_ver, UP_PRODUCT_VER_POS, PRODUCT_ID_VER_LEN);
   
         if ( (original_product_id == recovery_product_id)
             && (original_product_ver== recovery_product_ver) )
         {
            printf("auto update firmware: product id verify sucess!\n");
            run_command("erase 9f020000 +3c0000; cp.b 80800000 9f020000 3c0000", 0);
            do_reset (NULL, 0, 0, NULL);
         }
         else
         {
            printf("auto update firmware: product id verify fail!\n");
            ar7240_wps_led_off();
         }
      }
      else
      {
         ar7240_wps_led_off();
      }
#endif

Maybe TP-Link is going to add this feature to all their routers in near future?

(Last edited by pepe2k on 21 Sep 2013, 21:45)

Small update smile

It seems that most of the modern TP-Link's routers got this recovery mode in Russian official firmware from 05~06.2013 period (http://www.tp-linkru.com/support/download/).

I was able to test only the following devices with corresponding OFW and all of them have recovery mode:

  • TL-WDR4300: TL-WDR4300_V1_130617 (PL), TL-WDR4300_V1_130617 (RU)

  • TL-WDR3600: TL-WDR3600_V1_130527_RU (RU)

  • TL-MR3020: TL-MR3020_V1_130507_RU (RU)

  • TL-MR3220 v2: TL-MR3220_V2_130607_RU (RU)

nebbia88 wrote:

https://forum.openwrt.org/viewtopic.php … 77#p222177

have you ever made similar tests pepe2k?

Yes, of course. Take a look at this source fragment (it's from official TP-Link GPL sources):

#ifdef FIRMWARE_RECOVERY

#define ORG_FILE_BASE 0x9F020000
#define ORG_PRODUCT_ID_POS (ORG_FILE_BASE + 0x40)
#define ORG_PRODUCT_VER_POS (ORG_FILE_BASE + 0x44)
         
#define UP_FILE_BASE 0x80800000
#define UP_PRODUCT_ID_POS (UP_FILE_BASE + 0x40)
#define UP_PRODUCT_VER_POS (UP_FILE_BASE + 0x44)
#define PRODUCT_ID_VER_LEN 4

      int is_auto_upload_firmware = 0;
      unsigned int original_product_id;   
      unsigned int original_product_ver;   
      unsigned int recovery_product_id;
      unsigned int recovery_product_ver;   
   
      ar7240_auf_gpio_init();
      is_auto_upload_firmware = ar7240_is_rst_btn_pressed();

      printf("auto update firmware: is_auto_upload_firmware = %d!\n", is_auto_upload_firmware);

      if (is_auto_upload_firmware)
      {      
         ar7240_wps_led_on();
         
         /* wait for ethernet config done. */
         udelay(2000*1000);
         
         run_command("setenv serverip 192.168.0.66", 0);
         run_command("setenv ipaddr 192.168.0.86", 0);
         
         run_command("tftp 80800000 wr741ndv4_tp_recovery.bin", 0);
   
         memcpy(&original_product_id, ORG_PRODUCT_ID_POS, PRODUCT_ID_VER_LEN);
         memcpy(&original_product_ver, ORG_PRODUCT_VER_POS, PRODUCT_ID_VER_LEN);
         
         memcpy(&recovery_product_id, UP_PRODUCT_ID_POS, PRODUCT_ID_VER_LEN);
         memcpy(&recovery_product_ver, UP_PRODUCT_VER_POS, PRODUCT_ID_VER_LEN);
   
         if ( (original_product_id == recovery_product_id)
             && (original_product_ver== recovery_product_ver) )
         {
            printf("auto update firmware: product id verify sucess!\n");
            run_command("erase 9f020000 +3c0000; cp.b 80800000 9f020000 3c0000", 0);
            do_reset (NULL, 0, 0, NULL);
         }
         else
         {
            printf("auto update firmware: product id verify fail!\n");
            ar7240_wps_led_off();
         }
      }
      else
      {
         ar7240_wps_led_off();
      }
#endif

As you can see, product id and version are verified before writing new image to the flash.

If you want to use this mode with WR703N and firmware for MR3020... you have two options:
1. Change product version and id in original firmware's header (this will need also recalculation of the checksum, I think).
2. Change product version and id in your WR703N flash (offset: 0x1FD00, 4 bytes for each value).

The second one is better. Just remember that you need:
1. Backup content of the whole second 64 KB block of the FLASH in RAM.
2. Change product version and id in RAM (mw command).
3. Erase second 64 KB block in FLASH.
4. Write back data from RAM to second block in FLASH.

pepe2k wrote:

(it's from official TP-Link GPL sources):

I spent an hour searching for that in some tplink gpl sources archives.. where did you get it?

anyway... you agree that this mode is USELESS if you flashed a wrong/corrupted firmware?

for example: it happens that a tplink firmware (uboot+firmware) is flashed in firmware partition, while trying to revert to stock firmware from openwrt.

will this work in that case?

nebbia88 wrote:
pepe2k wrote:

(it's from official TP-Link GPL sources):

I spent an hour searching for that in some tplink gpl sources archives.. where did you get it?

http://www.tp-link.com/en/support/gpl/
But... I don't remember which one have this code... I'm almost sure that it isn't in 741NDv4 wink
You should also know that TP-Link doesn't update their GPL sources...

nebbia88 wrote:

anyway... you agree that this mode is USELESS if you flashed a wrong/corrupted firmware?

No, I don't agree smile

nebbia88 wrote:

for example: it happens that a tplink firmware (uboot+firmware) is flashed in firmware partition, while trying to revert to stock firmware from openwrt.

U-Boot doesn't know anything about mtd layout (logical division of the FLASH)... it uses only offsets.

nebbia88 wrote:

will this work in that case?

Yes, it will work. This mode compares product version and product id stored in FLASH (inside your "uboot" partition - first 128 KB, offset 0x1FD00) with the ones from image which you are uploading (every TP-Link firmware has a header with product version and id).

(Last edited by pepe2k on 9 Jan 2014, 16:46)

pepe2k wrote:

Yes, it will work. This mode compares product version and product id stored in FLASH (inside your "uboot" partition - first 128 KB, offset 0x1FD00) with the ones from image which you are uploading (every TP-Link firmware has a header with product version and id).

sure???

#define ORG_FILE_BASE 0x9F020000
#define ORG_PRODUCT_ID_POS (ORG_FILE_BASE + 0x40)
#define ORG_PRODUCT_VER_POS (ORG_FILE_BASE + 0x44)


pepe2k wrote:

But... I don't remember which one have this code... I'm almost sure that it isn't in 741NDv4 wink
You should also know that TP-Link doesn't update their GPL sources...

well i tried:

wdr4900
wr842v1/v2
ap123gpl.rar

and found nothing XD

(Last edited by nebbia88 on 9 Jan 2014, 18:07)

nebbia88 wrote:
pepe2k wrote:

Yes, it will work. This mode compares product version and product id stored in FLASH (inside your "uboot" partition - first 128 KB, offset 0x1FD00) with the ones from image which you are uploading (every TP-Link firmware has a header with product version and id).

sure???

#define ORG_FILE_BASE 0x9F020000
#define ORG_PRODUCT_ID_POS (ORG_FILE_BASE + 0x40)
#define ORG_PRODUCT_VER_POS (ORG_FILE_BASE + 0x44)

Ha, you're right, I'm sorry!

But... this mode should work if you flash original firmware with embedded U-Boot image. There are always two headers (one for U-Boot, and another for firmware) in TP-Link's firmware, both with product version and id at offset 0x40.

nebbia88 wrote:

well i tried:

wdr4900
wr842v1/v2
ap123gpl.rar

and found nothing XD

I found it, it's in WR710N v1 sources: http://www.tp-link.com/resources/gpl/br … nux.tar.gz

It seems, that every TP-Link router will sooner or later get this mode! For example, the new TL-WR841N v9 has it and... it can be also found in last OFW upgrade (19.03.2014) for TL-WR1043ND v1 (use reset button):

U-Boot 1.1.4 (Mar 19 2014 - 11:06:29)

AP83 (ar9100) U-boot 0.0.11
DRAM:  
sri
32 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
is_auto_upload_firmware=1
update start...
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Filename 'wr1043nv1_tp_recovery.bin'.
Load address: 0x80800000
Loading: checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
T #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #################################################################
     #####################################################
done
Bytes transferred = 8258048 (7e0200 hex)
new id = 10430001, new ver = 00000001Firmware recovery: product id verify sucess!
Firmware recovery: filesize = 0x7e0200.

First 0x2 last 0x7d sector size 0x10000
 125
Erased 124 sectors
Copy to Flash... write addr: bf020000
done

Resetting...

No more bricked TP-Link routers? smile

Unfortunately, on the WDR4900v1 it's relatively common to get the "auto update firmware: product id verify fail!" message which prevents the flashing, even with the exact same firmware that works on other WDR4900v1 devices.

I was in that situation, and still haven't figured out what I actually have at 0x9F020040 and 0x9F020040 during U-boot. I should be able to find out with

hexdump -C /dev/something

right? Does anyone know where in /dev/ this info would be?

you should be able to (build and...) boot a ramdisk image and take a full dump wink

have a look at

cat /proc/mtd

and

ls /dev/mtd*

(Last edited by nebbia88 on 13 May 2014, 15:23)

Does TP-LINK TL-WR841N v8.4 with 130506 have recovery mode ?

I tested on WR1043NDv1 this recovery function will work for any openwrt factory image for the router.
Finally I can avoid using serial pins...

I did:

mtd -e firmware -r write openwrt-ar71xx-generic-tl-mr3220-v2-squashfs-factory.bin firmware

results in console was ok, router rebooted but something went wrong.

looks like a brick - not flashing sys led after powering on, tried to sniff trafic - nothing happens after boot

what is the maximum firmware file size for mr3220v2? my one was 3.8Mb, 3932160. is it a reason?

Really wish I saw this thread and upgraded the WDR3600 to the latest U-boot so it has this feature.
Now I have to use the serial pins for console.

Good thing the interim WDR4300 has this feature!

Hi pepe2k,

I believe the new 703N firmware probably has this uboot and product id check, which is preventing people from installing OpenWRT on the lastest firmware.

Can you help confirm or provide some basic instructions on how I can confirm? I would really appreciate it.

https://forum.openwrt.org/viewtopic.php?id=49387

KK

Hi pepe2k

I am new in this forum and i have a question:
I have wdr3600 router and I read your post about the hidden recovery mode (TFTP) and i see the boot log that you submitted. My question is: how to use (or enter to this recovery mod of the router) in windows 7 pc? and by the way, how can i get the boot log for the router?
One more question: can i telnet or connect in anyway to the u-boot console of wdr3600 router?

I know these question sound silly, but i ma new in this.

Thanks in advance

(Last edited by nkamal62 on 7 Sep 2014, 23:40)

nkamal62 wrote:

I am new in this forum and i have a question:

It's usually difficult to get answers on forums like this because technically knowledgeable people do not have patience to explain complicated stuff in all the details for noobs like you an me. Their time is better spend on... uhm... stuff. Like fixing bugs. So I'll try my best to make some educated guesses, but remember that these are not based on any personal experience.

nkamal62 wrote:

how to use (or enter to this recovery mod of the router) in windows 7 pc?

To enter recovery mode press and hold WPS/Reset Button during powering on until WPS LED turns on.
Source: http://wiki.openwrt.org/toh/tp-link/tl- … vision.1.5
On Windows 7 you'll need a tftp server. Like this one: http://tftpd32.jounin.net/
Here is how you can set static IP on Windows 7: http://www.howtogeek.com/howto/19249/ho … windows-7/

nkamal62 wrote:

and by the way, how can i get the boot log for the router?

You need to connect to the U-Boot console via Serial Port wile booting.
Source: http://wiki.openwrt.org/doc/techref/boo … oot.config
And also: http://stackoverflow.com/questions/1946 … for-u-boot

nkamal62 wrote:

can i telnet or connect in anyway to the u-boot console of wdr3600 router?

You can't telnet. You can connect via Serial Port as per above.
But see here https://github.com/pepe2k/u-boot_mod for u-boot mod and accompanying network console application.

(Last edited by zespri on 30 Sep 2014, 18:39)

The last firmware for TL-WDR4300 is 64K smaller in size.
Until now all firmwares that include u-boot are 8258048 bytes in size.
The last one ( 140916 ) is 8192512 bytes in size.

At tplink website ( http://www.tplink.com/en/support/downlo … version=V1 ) theres a note:

Since the security mechanism of the new firmware have improved,the configuration file of the old firmware can not be used in the new firmware. 

I hope that this isn't a move to signed firmwares like the TD-W8970/8980/9980 .

The discussion might have continued from here.