OpenWrt Forum Archive

Topic: TP-Link TL-WR841N v8.0

The content of this topic has been archived between 26 Jul 2014 and 6 May 2018. Unfortunately there are posts – most likely complete pages – missing.

uboot is updated by newest firmware (can't know what are the changes in newer uboot), you can see the version at offset 0x3450:

"U-Boot 1.1.4 (Aug  2 2012 - 11:33:04)" in 120802 firmware,

"U-Boot 1.1.4 (Nov  1 2012 - 10:25:34)" in 121101 firmware.

That is, they put the timestamp of the firmware in u-boot version... Really can't understand this thing...

Anyway they say that you can't downgrade firmware, I assume the oldest firmware does not work ok with new bootloader??

I still cannot understand what is the current output of your bricked router.. did uboot shows itself or it's completely dead and must use a flash programmer (or the trick with 2 flash chips in parallel)??


EDIT: wrong call, there is no warning about using old firmware on new bootloader FOR THIS MODEL, but there is one for 741, really interesting...

http://www.tp-link.it/support/download/ … version=V4

(Last edited by nebbia88 on 23 Nov 2012, 13:10)

nebbia88 wrote:

uboot is updated by newest firmware (can't know what are the changes in newer uboot), you can see the version at offset 0x3450:

"U-Boot 1.1.4 (Aug  2 2012 - 11:33:04)" in 120802 firmware,

"U-Boot 1.1.4 (Nov  1 2012 - 10:25:34)" in 121101 firmware.

That is, they put the timestamp of the firmware in u-boot version... Really can't understand this thing...

Anyway they say that you can't downgrade firmware, I assume the oldest firmware does not work ok with new bootloader??

I still cannot understand what is the current output of your bricked router.. did uboot shows itself or it's completely dead and must use a flash programmer (or the trick with 2 flash chips in parallel)??


EDIT: wrong call, there is no warning about using old firmware on new bootloader FOR THIS MODEL, but there is one for 741, really interesting...

http://www.tp-link.it/support/download/ … version=V4

Ok, well i suspected something there based on the supplied bootloader. Hmm, version is the same, but "compile" date different. As for using old firmware with more modern boot, note that it worked OK with router #1. I think the original firmware was the Aug 2  2012 release, so that should be the installed bootloader. They are close in mfg, one MAC ends in 74:63:34 and the other 74:62:EA, so there should be no diffs.

Now #2 it is totally dead, it lights up all leds, no terminal output, probably nuked flash. I have not decided yet, but might go the "dual-flash" path,
or just write it off, to learning experience.

Now, copying flash, I can see that not ALL flash is copied, am I correct in assumig the part NOT copied is stuff unique for the individual such as MAC addresses? I also see that the disposition is different in openwrt and tplink fw, al least mtd partition naming is.

Also, let us assume I cut out the 257 first block constituting the boot loader, is that the image that goes into the first blocks of flash? What about the header string info, is that ALSO put in flash, or does the mtd skip the header ( guess = 1 block ?)? Does the same go for the image proper?

(Last edited by gulweb on 23 Nov 2012, 19:11)

read this for flash layout??

http://wiki.openwrt.org/toh/tp-link/tl- … ash.layout

yes when copying the final part (art) it's not copied..

the first 3 partitions i think they are exactly like in factory image with included uboot!

anyway seems identical to openwrt mtd partition scheme! I assume "config" equals to "rootfs_data"...

(Last edited by nebbia88 on 23 Nov 2012, 20:06)

anyway seems that uboot from stock firmware with boot in name, is copied from 0x278-0x201FF TO 0x000-0x1FF87, so first 0x277 bytes of original firmware are just header, checks or i don't know what..

got to that conclusion by hexcmp my uboot dump:

cat /dev/mtd0 > /tmp/mtd0

to a firmware with boot in name..

(Last edited by nebbia88 on 23 Nov 2012, 20:27)

nebbia88 wrote:

read this for flash layout??

http://wiki.openwrt.org/toh/tp-link/tl- … ash.layout

yes when copying the final part (art) it's not copied..

the first 3 partitions i think they are exactly like in factory image with included uboot!

anyway seems identical to openwrt mtd partition scheme! I assume "config" equals to "rootfs_data"...

Ok, that is what I have deduced, but looking at openwrt doc's it seems
boot is same
kernel is same
rootfs is i block larger than (your link)
there is no config partition
art is last

I  am getting more and more interested in doing the dual flash trick, it will be interesting to see if art is intact, and also if there IS a config, I guess
otherwise I have no mac addresses any more.... :-) well, worry about that later....

You mention

anyway seems that uboot from stock firmware with boot in name, is copied from 0x278-0x201FF TO 0x000-0x1FF87, so first 0x277 bytes of original firmware

Is 000-1ff87 ram addresses when the processor is running? ( they are mentioned at other offses in Uboot ) ??

(Last edited by gulweb on 23 Nov 2012, 21:27)

no i only made a dump of my wr703 mtd0, and i saw that that is very similar (will be equal if same model) to the 0x278-0201FF part of the stock wr741 firmware with uboot...

nebbia88 wrote:

no i only made a dump of my wr703 mtd0, and i saw that that is very similar (will be equal if same model) to the 0x278-0201FF part of the stock wr741 firmware with uboot...

Hm, I have to verify the actual addresses if I try this.

The copyflash example used

cp.b 0x9f000000 0x81000000 0x3effff ; 9f000000 base of flash ? 81000000 mid of ram ? start + 16 Mb ?? 3effff  (4Mb -64 k -1), why the -1?

My interpretation, copy boot + firmware + (config ??) but not last byte and do not touch art.

This is what the tplink linux says about the flash (captured on the broken board before I nuked it trying to restore the image)

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 00100000 00010000 "kernel"
mtd2: 002c0000 00010000 "rootfs"
mtd3: 00010000 00010000 "config"
mtd4: 00010000 00010000 "art"

so, there is 64k reserved below art for config in the tplink image

and this is the error I got befor it froze, copied from earlier post, did not save MY message

wasp> bootm 0x9f020000
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... Too big uncompressed streamLZMA ERROR 1 - must RESET board to recover

Now when turning on

led
1    2   3   4   5   6   7   8   9
on off off on on on on off off = power, WAN, port 1,2,3
completely static

(Last edited by gulweb on 23 Nov 2012, 22:25)

that error seems common:

https://forum.openwrt.org/viewtopic.php … 59#p180059


https://forum.openwrt.org/viewtopic.php … 98#p170798


https://forum.openwrt.org/viewtopic.php?id=37670


the fact that the board DIED completely seems really strange.... i'm starting to think that is not a flash problem sad

BTW what serial adaptor did you use? i was thinking that you did strange tries with resistors, maybe you killed the TX pin??


0x3EFFFF is last byte of complete flash (-art), it's obviously -1, if you have a 2 byte flash it will be from 0x0 to 0x1, that is 2-1 XD

0x9f000000 is ram start i think,

(Last edited by nebbia88 on 23 Nov 2012, 23:10)

nebbia88 wrote:

that error seems common:

https://forum.openwrt.org/viewtopic.php … 59#p180059


https://forum.openwrt.org/viewtopic.php … 98#p170798


https://forum.openwrt.org/viewtopic.php?id=37670


the fact that the board DIED completely seems really strange.... i'm starting to think that is not a flash problem sad

BTW what serial adaptor did you use? i was thinking that you did strange tries with resistors, maybe you killed the TX pin??


0x3EFFFF is last byte of complete flash (-art), it's obviously -1, if you have a 2 byte flash it will be from 0x0 to 0x1, that is 2-1 XD

0x9f000000 is ram start i think,

Yes, a bit strange, well it is really hard to remeber if you did something wrong, but to the best of my knowledge I have followed
the advice here, and also tried to understand the small differences between my case and others. I dont believe I have been careless.

If you do something sucessfull, you do not expect the same thing to fail on identical hardware. Of course, it is possible
i did a stupid typo or something, but TWICE on two different procedures on the same platform?

About the "resistor" stuff, I use a very simple circuit for level conversion, I have used it on several microprocessors, and
it is basicly a NPN transistor that does the conversion. Now, the base of this lives on + 0.6 V, so when the TX pin is high,
some small current is sinked from TX. What I found was NOT bad levels, but the total inability of the router to start if
this resistor was 10k (which is pretty much standard, and does NOT load the output significantly. However, my observation
is that the pin (TX) might have a different function at power on / startup reset, where it *might* indicate a specific
startup condition. This is common on a lot of IC's. However, increasing the value and thus lowering the current drawn
from the pin as I described made it work. It is merely an observation for somebody who might use a similar coverter from
for example Sparkfun.

Contrary to you, I believe it HAS to do with the flash, perhaps a timing issue, where som flash roms dont hack it. I had the opportunity
to browse around in the broken tplink firmware, and while Linux booted, there were massive squashs errors, wrong pointers, failiure to
load modules and components. A not-so-well-informed guess is that the upper part of the flash image was corrupted, so the thing
actually booted, and I could log in, i even looked for a fsck, but no such thing.

(Last edited by gulweb on 23 Nov 2012, 23:37)

Yes so you got 2 faliure, one when restoring tplink fw, and one trying from uboot the second time.. Also probably wrong parameters in uboot (printenv would have been useful to inspect that) makes me think your flash chip was failing.... Time to upgrade to 16M xD

nebbia88 wrote:

Yes so you got 2 faliure, one when restoring tplink fw, and one trying from uboot the second time.. Also probably wrong parameters in uboot (printenv would have been useful to inspect that) makes me think your flash chip was failing.... Time to upgrade to 16M xD

For you nebbia88 and all others who can learn something from this:

I could not get to rest about my router not wanting to cooperate, so I followed the nice tip from nebbia88 to remove the flash chip from the bricked router, and piggybacking it onto the flash in the working router. I lifted pin1 of the "good" router, and attaced some wires and a micro alligator clip so I could select the flash manually. I did this fully aware that I might nuke the only remaining hw. This took some hours, I wish i were 16 again :-)

I booted the router with the good flash selected, (115kbaud/7S1). I attempted to copy boot+firmware, but leaving the two highest 64 k blocks intact,
so I used a size of 0x3dffff, not touching sector 3e (config??) and 3f ( art??). I switched chip select, erased 0-3dffff, and was greeted with "62 sectors erased", which seems correct. I copied ram to flash. Without changing anything, I switched power off / on. SAME BEHAVIOUR AS BEFORE, leds 1 x x 4 5 6 7 x x ON, nothing on the terminal.

I repeated the experiment, but still in wasp> but this time I copied only the boot, i.e. the first 0x20000 bytes.

Power up, SAME AS BEFORE.

New repeat, this time all first 62 sectors, and boot + firmware.  Tried bootm 0x9f020000


bootm 0x9f020000
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... Too big uncompressed streamLZMA ERROR 1 - must RESET board to recover

and a dead router, no uboot, ledon 1 x x 4 5 6 7 x x

(note the pattern, it is NOT power + switch ports, maybe it means "xxx -data corrupted, cannot start" ??

Last try before throwing the piggyback flash in the recycling, I restarted again, but this time i copied ALL flash, 0x400000. Power off/on, and now the thing is booting. So, this is now an identical twin, and MAC addr etc is screwed., but Uboot works. So, 2 possibilities:

1. there is something that needs to be in config or art, and that something prevents uboot to run. Partition chksum??
2. there is a bug in uboot, so the copy operations do not do what you ask it

So, now I am going to transfer the chip back into the "bricked router" but I think I'll save that for tomorrow :-)

(Last edited by gulweb on 24 Nov 2012, 20:41)

My guess is that your second flash chip was blewed.. You'll find out only trying the good flash on the bricked unit!

nebbia88 wrote:

My guess is that your second flash chip was blewed.. You'll find out only trying the good flash on the bricked unit!

No, I don't think so, I can reboot with either chip on the "good" router, but I will put it back on the "bad" router tomorrow, and se if I indeed have two identical twins now. If that is correct, I will have to dump the config space, so I can edit and fix the MAC addresses, since now both routers are the same. It *seems* to me that copying the WHOLE chip repaired it.

Edit:

Now as I am learning more about the HW/Openwrt, it would be good to confirm a few suspicins. The flash on the TL-WR841ND is a serial flash.
Thus, when the router is booted, the AR9341 (??) reads the entire contents of the flash into ram, and then starts execution i ram. I cannot find any data sheet, so I am just guessing here. There might be some fields in the image that have special significance, and there might be checksums to make sure the flash contents is correct. This is probably why this failed for me. Now, with a new copy of a working flash, it works, but sadly it is the "wrong" flash, of another unit.

(Last edited by gulweb on 24 Nov 2012, 23:14)

oh i'm sorry, i completely missed the fact that the #1 board was booting with both chips, in the end...

BTW did you make a backup of the art partition of the flash of the #2 board before overwriting?

(Last edited by nebbia88 on 24 Nov 2012, 23:15)

undermonster wrote:

I Unbricked my WR841N v8.2 - without hardware hacks.

I will explain how to revert to STOCK firmware.

1) Set your Computer IP to 192.168.1.2 (Ethernet, not WiFi)
2) Connect to your router, in the WAN port (blue)
3) Ping 192.168.1.1 continuously. (Helps identify when it's ready)
4) Turn Router ON. Press the WPS/Reset button many times.
5) Wait for LED under gear icon to flash rapidly.
6) Wait for PING to respond (Not failed response)
7) Telnet into 192.168.1.1 from your PC
8) In telnet, CD to /tmp
9) Copy stock firmware (Link) to /tmp (wget is installed by default! Download link is ZIP, firmware is BIN!)
10) Rename firmware to: tplink.bin
11) Type: mtd -r write /tmp/tplink.bin firmware
12) Wait for "Reboot" message. If error message appears, manually reboot.

Your router is now back to Factory Defaults.

Bricked my WR841n with wrong firmware... sad

I Tried instruction above, without any success...

4) Turn Router ON. Press the WPS/Reset button many times.
5) Wait for LED under gear icon to flash rapidly.

My gear icon is still dead... Nothing happend... sad

What firmware did you used? How do you flashed?

nebbia88 wrote:

What firmware did you used? How do you flashed?

openwrt-ar71xx-generic-tl-wr841n-v8-squashfs-factory

tplinklogin.net -> upgrade firmware

(I made it through wifi, not via ethernet cabel...)

PS. wr841n v.8.2

(Last edited by quorce on 25 Nov 2012, 00:19)

nebbia88 wrote:

oh i'm sorry, i completely missed the fact that the #1 board was booting with both chips, in the end...

BTW did you make a backup of the art partition of the flash of the #2 board before overwriting?

No, I dont have any backup of either config or art ( I'am still only 98 % shure these are the two critical partitions).
I dont see how I could, because just flashing uboot or flashing uboot + fw did not get the router running.
I tried to preserve those partitions, but with negative results.

The ONLY thing that helped was copying the WHOLE 4 mb, i.e. INCLUDING config + art.
In retrospect I should have tried boot + firmware + config first, but I had already given up, it was just the
final desperate try that brought it to life again.

Anyway, it cannot be that the firmware part is checksummed as part of the entire flash, because then it would not
be possible to swap back and forth between Openwrt and stock (easily). But there must be SOMETHING in
partition config and/or art that is the enabler.

Now I will try to find info on these two partitions, at least enough to be able to reset back the proper MAC addresses.
And, now that it boots, it is possible to extract these, and tftp them.

Could it be that Uboot also needs to read the config partition, and if it is nuked, it will not find any devices?
But, it should be able to say so, i.e. Uboot 1.1.4 -- cannot read config

(Last edited by gulweb on 25 Nov 2012, 00:39)

anyway config partition is not the problem, since it's erased by a "restore factory defaults", or am I thinking wrong??

quorce wrote:
nebbia88 wrote:

What firmware did you used? How do you flashed?

openwrt-ar71xx-generic-tl-wr841n-v8-squashfs-factory

tplinklogin.net -> upgrade firmware

(I made it through wifi, not via ethernet cabel...)

PS. wr841n v.8.2

can't see why you should brick with this... you can't ping 192.168.1.1? neither with static ip? try also failsafe mode!

nebbia88 wrote:

can't see why you should brick with this... you can't ping 192.168.1.1? neither with static ip? try also failsafe mode!

1. set ethernet to 192.168.1.2
2. connect via cabel router to pc
3. my pc see this router as "Unidentified network"
4. cannot ping 192.168.1.1

sad

pressing QSS button LOTS of times during startup make the SYS led fast flashing? in normal startup does it flash and after some seconds stay ON?

nebbia88 wrote:

anyway config partition is not the problem, since it's erased by a "restore factory defaults", or am I thinking wrong??

If the config partition only contains user config, and is indeed erased by "restore factory", then that should not be a problem.

To get further clarification, description of the contents of config and art is needed, I think a lot can be read from mftplinkfw.c in the tools directory,
since it knows a lot about the fw header. Other fragments from other places.

I tried to download the tplink GPL software kit, and receive 327 Mb, but it does not open as a tar.gz kit, so it is obfuscated, which I think breaks
the GPL agreement. Anyone succeeded in unpacking theit software kit??

Edit: Update

Flash chips now back in their respective boards, and I now have two working and identical routers.

(Last edited by gulweb on 25 Nov 2012, 16:25)

nebbia88 wrote:

pressing QSS button LOTS of times during startup make the SYS led fast flashing? in normal startup does it flash and after some seconds stay ON?

So step by step:
- power on
- all leds light for a 1 second
- all leds off, only power led (first led) is green

no one led flash sad

edit:
Got Sony Ericsson cable (black, red, white and green wire), maybe unbrick via ttl cable?

(Last edited by quorce on 25 Nov 2012, 20:23)

quorce wrote:
nebbia88 wrote:

pressing QSS button LOTS of times during startup make the SYS led fast flashing? in normal startup does it flash and after some seconds stay ON?

So step by step:
- power on
- all leds light for a 1 second
- all leds off, only power led (first led) is green

no one led flash sad

edit:
Got Sony Ericsson cable (black, red, white and green wire), maybe unbrick via ttl cable?

If you can get no action from your router, connecting a terminal can give you some idea about what has happened. But it is not always easy :-)