It seems that new version of TP-Link's firmware for TL-WDR4300 (TL-WDR4300_V1_130617) contains an U-Boot with hidden firmware recovery mode (TFTP).
Here is a fragment of boot log (router was powered on with WPS/Reset button pushed in):
U-Boot 1.1.4 (Jun 17 2013 - 12:31:57)
U-boot DB120
DRAM: 128 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash: 8 MB
Using default environment
PCIe Reset OK!!!!!!
In: serial
Out: serial
Err: serial
Net: ag934x_enet_initialize...
No valid address in Flash. Using fixed address
wasp reset mask:c03300
WASP ----> S17 PHY *
: cfg1 0x7 cfg2 0x7114
eth0: ba:be:fa:ce:08:41
athrs17_reg_init: complete
eth0 up
eth0
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Filename 'wdr4300v1_tp_recovery.bin'.
Load address: 0x80060000
Loading: T T
More information can be found here:
http://forum.ixbt.com/topic.cgi?id=14:59307:610#609 (RU)
http://eko.one.pl/forum/viewtopic.php?id=6953 (PL)
http://openrouter.info/forum/viewtopic. … mp;p=30991 (PL)
Some time ago I found similar recovery mode in TP-Link's GPL sources for WR710N, in main.c file, but the official image doesn't have it (probable due to missing FIRMWARE_RECOVERY definition):
#ifdef FIRMWARE_RECOVERY
#define ORG_FILE_BASE 0x9F020000
#define ORG_PRODUCT_ID_POS (ORG_FILE_BASE + 0x40)
#define ORG_PRODUCT_VER_POS (ORG_FILE_BASE + 0x44)
#define UP_FILE_BASE 0x80800000
#define UP_PRODUCT_ID_POS (UP_FILE_BASE + 0x40)
#define UP_PRODUCT_VER_POS (UP_FILE_BASE + 0x44)
#define PRODUCT_ID_VER_LEN 4
int is_auto_upload_firmware = 0;
unsigned int original_product_id;
unsigned int original_product_ver;
unsigned int recovery_product_id;
unsigned int recovery_product_ver;
ar7240_auf_gpio_init();
is_auto_upload_firmware = ar7240_is_rst_btn_pressed();
printf("auto update firmware: is_auto_upload_firmware = %d!\n", is_auto_upload_firmware);
if (is_auto_upload_firmware)
{
ar7240_wps_led_on();
/* wait for ethernet config done. */
udelay(2000*1000);
run_command("setenv serverip 192.168.0.66", 0);
run_command("setenv ipaddr 192.168.0.86", 0);
run_command("tftp 80800000 wr741ndv4_tp_recovery.bin", 0);
memcpy(&original_product_id, ORG_PRODUCT_ID_POS, PRODUCT_ID_VER_LEN);
memcpy(&original_product_ver, ORG_PRODUCT_VER_POS, PRODUCT_ID_VER_LEN);
memcpy(&recovery_product_id, UP_PRODUCT_ID_POS, PRODUCT_ID_VER_LEN);
memcpy(&recovery_product_ver, UP_PRODUCT_VER_POS, PRODUCT_ID_VER_LEN);
if ( (original_product_id == recovery_product_id)
&& (original_product_ver== recovery_product_ver) )
{
printf("auto update firmware: product id verify sucess!\n");
run_command("erase 9f020000 +3c0000; cp.b 80800000 9f020000 3c0000", 0);
do_reset (NULL, 0, 0, NULL);
}
else
{
printf("auto update firmware: product id verify fail!\n");
ar7240_wps_led_off();
}
}
else
{
ar7240_wps_led_off();
}
#endif
Maybe TP-Link is going to add this feature to all their routers in near future?
(Last edited by pepe2k on 21 Sep 2013, 21:45)