OpenWrt Forum Archive

Topic: TP-Link TL-WR703N Reverse Engineering

The content of this topic has been archived between 22 Mar 2018 and 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Great job! and thank you for these explanations! Although it look simple, it probably requires quite a lot of skills and tons of patience!

I am sure that the above will be useful to other persons willing to reverse-engineer some other boards using the same techniques.

All this work provides full understanding of the TL-WR703N hardware so it is now possible to squeeze all the juice out of this wonderful little platform.

But this job is also a good way to learn how a modern router is working at the lowest level, bringing knowledge of the different circuits (SDRAM, Ethernet, Wi-Fi, USB) to the electronic hobbyist's delight!

On my side, I started to look at the internal layers to find if I missed something, and I may have the explanation for my "L" via: this via is actually at +3.3V, and the R95 0603 resistor is in fact a pull-up (through so-far hidden internal layers...) for the "B42" AR9331 pin, which is also connected to GND via C86, forming what looks like an RC timing network... So I suspect that the "B42" pin is actually an active-low RESET pin (I was still missing this one somehow!)!

I will update the EagleCAD schematic and layout to match your pictures perfectly.

ultramancool wrote:

In case anyone is interested, I found a copy of the datasheet on a chinese website.

http://ishare.sina.cn/dintro.php?id=34775768

ultramancool, you are my hero!!!

Thank you for sharing!

Cool stuff ultramancool :-)

The OpenWrt Wiki contains a schematic of the DORIN evaluation board from Embedded Wireless. It's also a AR9331 based device. But the schematic only contains the peripheral stuff. It might be helpful in some way:

http://wiki.openwrt.org/_media/toh/ew/d … al_1.0.pdf

AR9341 Only:

http://dioptimizer.narod.ru/files/images/jtag_ar9341.jpg

20.12.12
Fixed.
AR9341 pinout not an exact match with an AR9331 pinout.

(Last edited by Dioptimizer on 20 Dec 2012, 14:11)

Unfortunately, the JTAG signals are not routed are are barely accessible, except for A27 and A28 on the TL-MR3020 which are GPIO20 and GPIO18, respectively sad

I need to verify the schematic and layout against these new PCB pictures, but it takes time...

Probably JTAG interface will be available in the event of a failure to boot from flash memory, for example AR7241.
Starting with processor AR7241 - nTRST placed on CS pin the SPI flash-chip because in the case of a damaged bootloader - CS goes to logic "1" and since bootloader does not boot - JTAG not disabled in software (more correctly JTAG pins are not reprogrammed as GPIO pins).
Also, I noticed that the device wr841n v8.0 (AR9341 with JTAG) - nTRST not used on pin header.

(Last edited by Dioptimizer on 14 Dec 2012, 12:07)

Squonk wrote:

Thank you!

Following my experience with USB 2.0 EHCI only in the AR9331, a hub is mandatory if you want to use any low or full speed device, and adding a microSD in the same chip would allow a smaller flash capacity and expandable memory for cheap...

Specifically, I was thinking of the AU6350-MGL chip.

But the problem is to get the AR9331 chip, anyway sad

Thank you for your brilliant reverse engineering work.

Do you think we could (legally) adapt these layouts and produce a much more hacker friendly device? Im sure we could squeeze in an extra pinheader or two and reshape the board slightly to fit into a readily available enclosure.

Obtaining the AR9331 is not a problem, my company has these in stock from producing military ethernet modules so I could purchase them for about $8 each for single pieces. Would  this make such a project feesable?

(Last edited by ZoomZoomLuke on 20 Dec 2012, 09:52)

I can ask for a quote of AR9331 as well. Unfortunately we would need to achieve a minimum order quantity. I think ZoomZoomLuke seems to have easier and likely cheaper access to the chip.

Apart from that the board needs to be modified for legal reasons. As far as I know creating a perfect copy of the original PCB would be problematic. Making modifications like USB hub, antenna connector, memory card slot and pin headers could be enough to prevent legal problems.

Another problem is the missing "ART" software from Atheros needed for the calibration process. Village Telco had the same problem with the Mesh Potato but they solved it: http://villagetelco.org/2009/11/rf-hacking/

ZoomZoomLuke wrote:
Squonk wrote:

Thank you!

Following my experience with USB 2.0 EHCI only in the AR9331, a hub is mandatory if you want to use any low or full speed device, and adding a microSD in the same chip would allow a smaller flash capacity and expandable memory for cheap...

Specifically, I was thinking of the AU6350-MGL chip.

But the problem is to get the AR9331 chip, anyway sad

Thank you for your brilliant reverse engineering work.

Thank you!

I still need to update the schematic and layout to match latests pictures that also include the internal layers.

ZoomZoomLuke wrote:

Do you think we could (legally) adapt these layouts and produce a much more hacker friendly device? Im sure we could squeeze in an extra pinheader or two and reshape the board slightly to fit into a readily available enclosure.

IANAL, but it looks like chip die layouts are protected, but not PCB layouts, as long as you don't include protected contents such as logo or trademarks.

Anyway, this layout is probably largely inspired by the Atheros AP121 reference design.

Yes, first, we should provide an easier access to the console smile

Second is to increase SSDRAM/Flash size.

Then, given the problem we found on the USB I/F, an USB hub chip would be of utmost importance to me, in order to connect low/full speed devices like POTS modems, GPS, Arduino boards, USB-UART converters and all kinds of home-built  devices.

And of course, fan out all the available pins (I2S, SLIC, additional Ethernet ports, JTAG, etc.) to headers!

ZoomZoomLuke wrote:

Obtaining the AR9331 is not a problem, my company has these in stock from producing military ethernet modules so I could purchase them for about $8 each for single pieces. Would  this make such a project feesable?

Yes, but the challenge would be to produce the boards!

The PCB is 4-layer, so we cannot use the cheap PCB prototype services. So we will need to find one PCB house that can do this cheap, and also provide the solder paste stencils.

For this kind of board, hand assembly with a soldering iron is not possible. Given the AR9331's dual-row pinout, hot air is not trivial, so a reflow oven is recommended. You can find those starting at $100-150, but it means not everybody can put together the board by him/herself.

Maybe taking a layout where all the components are on the top PCB side is a also good idea...

For manufacturing, we need to find an easy way to Flash the bootloader into Flash memory, then write a software that  performs the board self-tests.

Then, the RF part is probably very tricky, as the exact values for the RF matching network are to be tuned, depending on the board layout, etc.. Then the RF needs to be calibrated using the ART (Atheros Radio Test) software (which I don't know how to get, except by signing and NDA with Atheros) and corresponding tuning values written into Flash memory during manufacturing.

Also, consider that there are AR9331-based SMT modules starting to appear in China for about the same price as a TL-WR703N, with more or less GPIOs... They do not provide all the connectors for Ethernet, antenna, USB, etc, but this may be seen as an alternative to making our own board...

But this could also make a nice Kickstart/Indiegogo (I am not US or UK-based) campaign!

I like the module concept of the DORIN platform: http://wiki.openwrt.org/toh/ew/dorin. The problem is the soldering of the Mini PCIe socket for creating a daughterboard. SMT modules instead are easier to mount.

Crowdfunding is an interesting approach. If some people are interested on this topic, we could discuss it in detail.

ramaza wrote:

I like the module concept of the DORIN platform: http://wiki.openwrt.org/toh/ew/dorin. The problem is the soldering of the Mini PCIe socket for creating a daughterboard. SMT modules instead are easier to mount.

Crowdfunding is an interesting approach. If some people are interested on this topic, we could discuss it in detail.

Interesting!

However, I am not sure that all available GPIOs are routed to the PCIe connector, as I don't see the SLIC signals. But they may well be muxed...

I was thinking of something like this:
http://i00.i.aliimg.com/photo/v3/703682944/high_quality_11n_300m_openwrt_wifi_router.jpg

Basically, it is a TL-WR703N router, with BGA SDRAM chip and less the connectors.

The pads are "stamp-like" with a 2mm pitch (2.54mm/0.1" would be more standard, though...), quite easy to solder using a soldering iron.

If not crowdfunding, at least group buys could be an option, as these are only sold in large quantities.

(Last edited by Squonk on 20 Dec 2012, 12:57)

Has anyone thought of talking to TP-link? They seem to produce a lot of variants very quickly. Perhaps if we pushed them in the direction we want, they could do it? Even if they just made a board with all connections routed through to pads, that would be a start.

robthebrew wrote:

Has anyone thought of talking to TP-link? They seem to produce a lot of variants very quickly. Perhaps if we pushed them in the direction we want, they could do it? Even if they just made a board with all connections routed through to pads, that would be a start.

Some people I know tried to talk to them, but it is useless: TP-Link are now larger than even DLink and ship routers by millions of units, so changing a design for even thousands of them doesn't get their attention.

It is actually easier with some smaller companies, such as the one producing the HAME MPR-A1 pocket router (see this thread). Although less power-efficient than the AR9331, the RT5350 SoC plays in the same performance class...

I did look at the AR9331 modular package as above but they are costly considering they lack a lot of components, some of which are SMD so the problems of assembly will remain.

Having called our fab house, we should be able to produce these for around $25 fully assembled based on a MOQ of 100 pieces.  I don't think this would be too far out of our reach.

If we are looking at prototype volumes, I have a decent reflow oven myself and my prototype fab house will provide a 50mm x 50mm 4 layer board with HAL for about $30 inc stencils.  While it's not super cheap, we could look at low volume to our exact requirements for about $50 assembled.

With regards to SPI flash, lets get the best value for money, perhaps just enough for uboot and use microSD.

How about producing this to match the RasPi connector and tooling hole layout to make use of the many enclosures available? (Although, personally, I disslike the RasPi layout from a prototyping point of view)

(Last edited by ZoomZoomLuke on 20 Dec 2012, 17:44)

Squonk wrote:
ramaza wrote:

I like the module concept of the DORIN platform: http://wiki.openwrt.org/toh/ew/dorin. The problem is the soldering of the Mini PCIe socket for creating a daughterboard. SMT modules instead are easier to mount.

Crowdfunding is an interesting approach. If some people are interested on this topic, we could discuss it in detail.

Interesting!

However, I am not sure that all available GPIOs are routed to the PCIe connector, as I don't see the SLIC signals. But they may well be muxed...

I was thinking of something like this:
http://i00.i.aliimg.com/photo/v3/703682944/high_quality_11n_300m_openwrt_wifi_router.jpg

Basically, it is a TL-WR703N router, with BGA SDRAM chip and less the connectors.

The pads are "stamp-like" with a 2mm pitch (2.54mm/0.1" would be more standard, though...), quite easy to solder using a soldering iron.

If not crowdfunding, at least group buys could be an option, as these are only sold in large quantities.


yes, the minimum  qty is 1k,alos it is expensive that WR703N .

but i'll try to get one sample .and will update this after test.

ZoomZoomLuke wrote:

I did look at the AR9331 modular package as above but they are costly considering they lack a lot of components, some of which are SMD so the problems of assembly will remain.

These modules just popped up on AliBaba recently, so I am sure that their price will decrease soon.

They are not lacking a lot of components: basically only passive ones and connectors (Ethernet Pi filter/transformer/ESD protection/jack, USB clamping diodes and connectors, etc.), much like the DORIN board cited above.

ZoomZoomLuke wrote:

Having called our fab house, we should be able to produce these for around $25 fully assembled based on a MOQ of 100 pieces.  I don't think this would be too far out of our reach.

Not bad at all, considering a TL-WR703N is $23 with case, packaging and shipping, but we don't care about case & packaging, don't we? And 100 pieces can be reached, I already have 2x TL-WR703N, 2x TL-MR3020 and expecting another TL-MR11U, so that's already 5% of the total wink

ZoomZoomLuke wrote:

If we are looking at prototype volumes, I have a decent reflow oven myself and my prototype fab house will provide a 50mm x 50mm 4 layer board with HAL for about $30 inc stencils.  While it's not super cheap, we could look at low volume to our exact requirements for about $50 assembled.

Not bad either for a prototype...

ZoomZoomLuke wrote:

With regards to SPI flash, lets get the best value for money, perhaps just enough for uboot and use microSD.

+1

ZoomZoomLuke wrote:

How about producing this to match the RasPi connector and tooling hole layout to make use of the many enclosures available? (Although, personally, I disslike the RasPi layout from a prototyping point of view)

I have a RP myself, but I am not a big fan of their layout... Plus the RP has a lot of connectors that we don't really care (HDMI, VGA, Audio, Full SDCard) andit is also pretty large compared to a 50 x 50 mm Tl-WR703N board...

I am not sure that the case is more important than matching existing common pinouts. In this respect, matching an Arduino Pro (almost 50 x 50 mm...) would open the board to a lot of existing shields for display, motor control, etc.

And now with 3D printing, I don't think making a case is too difficult, or if you can't afford it, you can either buy a beige case or a SoB (Sick-of-Beige) one wink

All cool guys,great job.Now it's seems every thing are ready to base on wr703n make a "perfect" study board.
Let's do some project in the new year?
1.A open HW project for "perfect" study board base on ar9331?
2.A book  project for document how openwrt work base on our "perfect" study board?

What stop us is that some thig is illegal,we can't do that ...

(Last edited by mips on 21 Dec 2012, 03:02)

the next key point is how to buy the AR9331.....
there is no retailer...

kwongwo wrote:

the next key point is how to buy the AR9331.....
there is no retailer...

Once the holiday season is out of the way, I can supply the AR9331 for $12 shipped to anywhere in the world. Less for any UK residents.

I am happy to work on a layout with anyone interested in producing an open board based on this chipset.
If someone wants to design a breakout board I am more than happy to assembled these for people wanting to work on this project.
I will get produced 12 boards at prototype pricing and assemble them myself at no additional cost.


Anyone up for the challenge? I would do the designs myself except I don't think my routing skills are good enough to keep a 50mm x 50mm footprint and I don't have any experience with RF layouts.

ZoomZoomLuke wrote:
kwongwo wrote:

the next key point is how to buy the AR9331.....
there is no retailer...

Once the holiday season is out of the way, I can supply the AR9331 for $12 shipped to anywhere in the world. Less for any UK residents.

I am happy to work on a layout with anyone interested in producing an open board based on this chipset.
If someone wants to design a breakout board I am more than happy to assembled these for people wanting to work on this project.
I will get produced 12 boards at prototype pricing and assemble them myself at no additional cost.


Anyone up for the challenge? I would do the designs myself except I don't think my routing skills are good enough to keep a 50mm x 50mm footprint and I don't have any experience with RF layouts.

As stated above, the big challenge is the RF part, and especially the calibration w/o the ART genuine tools.

I read the story about the VillageTelco MP02 device, and I am far from convinced that they really know what they are doing... I am far from an RF specialist (enough to be dangerous smile), but this is not just a matter of having a simple spectrum analyzer and look at the RF envelope here: you also have to adapt impedances, and this almost certainly requires a VNA (Vector Network Analyzer) to measure the 4 network impedance characteristics too...

RF routing is not the worse, provided you keep RF signals away from all other fast signals and have good (star-topology...) ground separate from noisy digital ground.

The worst routing to be done will be between the AR9331 and the SDRAM chip, where almost all the traces should be matched in length and in impedance, requiring the typical "snaked" traces.

What CAD tools do you plan to use?

I suggest you not to do the design all by yourself: it is easy to forget something and the only efficient way is to work in a team: first we need to agree on the functionalities, then what components we will use for that, then draw the schematic and then layout eventually.

Having all components on a single side would make things easier for assembly, even if this still requires a 4-layer PCB.

And if we choose only non-BGA/QFN components, this will enable people to put together their board with a simple soldering iron (and magnifier...), except for the pre-soldered AR9331... Don't know if this is something interesting, but it's a fun idea smile

ZoomZoomLuke wrote:
kwongwo wrote:

the next key point is how to buy the AR9331.....
there is no retailer...

Once the holiday season is out of the way, I can supply the AR9331 for $12 shipped to anywhere in the world. Less for any UK residents.

I am happy to work on a layout with anyone interested in producing an open board based on this chipset.
If someone wants to design a breakout board I am more than happy to assembled these for people wanting to work on this project.
I will get produced 12 boards at prototype pricing and assemble them myself at no additional cost.


Anyone up for the challenge? I would do the designs myself except I don't think my routing skills are good enough to keep a 50mm x 50mm footprint and I don't have any experience with RF layouts.


ZoomZoomLuke great! if we can get ths Soc, then last question should be the ART,

Squonk wrote:
ZoomZoomLuke wrote:
kwongwo wrote:

the next key point is how to buy the AR9331.....
there is no retailer...

Once the holiday season is out of the way, I can supply the AR9331 for $12 shipped to anywhere in the world. Less for any UK residents.

I am happy to work on a layout with anyone interested in producing an open board based on this chipset.
If someone wants to design a breakout board I am more than happy to assembled these for people wanting to work on this project.
I will get produced 12 boards at prototype pricing and assemble them myself at no additional cost.


Anyone up for the challenge? I would do the designs myself except I don't think my routing skills are good enough to keep a 50mm x 50mm footprint and I don't have any experience with RF layouts.

As stated above, the big challenge is the RF part, and especially the calibration w/o the ART genuine tools.

I read the story about the VillageTelco MP02 device, and I am far from convinced that they really know what they are doing... I am far from an RF specialist (enough to be dangerous smile), but this is not just a matter of having a simple spectrum analyzer and look at the RF envelope here: you also have to adapt impedances, and this almost certainly requires a VNA (Vector Network Analyzer) to measure the 4 network impedance characteristics too...

RF routing is not the worse, provided you keep RF signals away from all other fast signals and have good (star-topology...) ground separate from noisy digital ground.

The worst routing to be done will be between the AR9331 and the SDRAM chip, where almost all the traces should be matched in length and in impedance, requiring the typical "snaked" traces.

What CAD tools do you plan to use?

I suggest you not to do the design all by yourself: it is easy to forget something and the only efficient way is to work in a team: first we need to agree on the functionalities, then what components we will use for that, then draw the schematic and then layout eventually.

Having all components on a single side would make things easier for assembly, even if this still requires a 4-layer PCB.

And if we choose only non-BGA/QFN components, this will enable people to put together their board with a simple soldering iron (and magnifier...), except for the pre-soldered AR9331... Don't know if this is something interesting, but it's a fun idea smile

if the "ART"  is not the problem,then the routing between "AR9331 ~~--~~ SDRAM ", will just take 3-5 nights smile

Hello,
Here I draw some conclusions about the ability to make some gpio jtag and that can be activated to control in openwrt
Defined almost all JTAG-GPIO numbers:
(judging by the top photo on the link to Alibaba and representation schemes by ramaza)
RST - GPIO11
TDO - GPIO7 (same on AR7241)
TDI - GPIO6 (same on AR7241)
TMS - GPIO8 (same on AR7241)
TCK - GPIO27 (not sure) \
Next I would like to add information on how to activate the possibility manipulated by other GPIOs:
https://forum.openwrt.org/viewtopic.php … 23#p186723

If you delve into the source code u-boot, it can be concluded that the use of such a method of initializing the same processor (lowlevel_init), as on AR724x, and this means that there may come a guide:
http://www.google.com/translate_c?langp … g%2525jtag

There are some reason make this project not possible:
1.Some thing are illegal...or we need put many effort to workaround it,just like base on ath9k driver write the "art" process code.
2.We can't make a ar9331 based device at a good price same as tp-link WR703N.
3.This is not a "profit" project,but we also need prepare many $ for this project kick off,I think why there are less "open hardware" project than "open software" is that "open hardware" project need $ to start...

Beacuse convert a SCH with wifi related is not easy as make a "bread":),the equipment for test wifi part are also hard to find,not every factory have this "cool" equipment ,and there are many things will happen when convert a SCH to a product,some man must foucs on it day and light...
So the cost $ will be more surprise when compare with the WR703N's price!