OpenWrt Forum Archive

Topic: TP-Link WR740N Version 6

The content of this topic has been archived between 8 Feb 2018 and 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I bricked it, then flashed the factory firmware ver.160325, which comes with u-Boot loader upgrade.
Right now I am not able to flash anything else, neither through httpd or tftp.
The router is working with factory ver.160325, though is rejecting flashing dd-wrt, openwrt or any other firmware.
I guess tp link had changed the way CRC is calculated.

Be cautious with this particular version.

Have you tried Bin from post #34

(Last edited by danymarc on 17 Sep 2016, 09:15)

Yup... it is still the same. The file is rejected with:

Error code: 18005
Upgrade unsuccessfully because the version of the upgraded file was incorrect. Please check the file name.

The TFTP method does not flash it as well.

Will try to unravel the function that checks the CRC from the new firmware and evaluate the changes with the old version.

If some one knows how this is computed, perhaps I'll be able to pass him some assembly instructions, so that he will know how to recalculate the CRC.

void_runner wrote:

Error code: 18005

post #1 step #6 https://forum.openwrt.org/viewtopic.php?id=58903
6th - enter command in console "sysupgrade -n -v -F /tmp/openwrt-ar71xx-generic-tl-wr741nd-v4-squashfs-sysupgrade.bin"
(this will force flash to skip hardware check)
suit it to your Bin & Vesion 6

(Last edited by danymarc on 17 Sep 2016, 23:57)

Ok. Here is the sort story of what I did:

As of 25 March 2016, there's new only one firmware update available for WR740N V6 on the TP-Link website.
It is with Rev Number 160325 and contains an uBoot update as well.

The new stuff here is this (quote from the website, marked in red):

The EU firmware was specialized for CE certificating and can’t be downgraded to other version, please click here for choosing your region and selecting the most suitable firmware version to upgrade.

For us as a developers this means that we'll no longer be able to flash custom or modified roms, because the firmware header is slightly changed.

Luckily it turns out that the changes are really slight.

I took the httpd executable from this new release (160325) and put it in IDA, to find out what was changed. Firstly I was thinking TP-Link changed the CRC-MD5 calculation method.

It turns out that in the subroutine called checkFirmware, they've added this code:

004EC7F0 loc_4EC7F0:                              # CODE XREF: checkFirmware+12C
004EC7F0                 lw      $t9, (off_5BA700 - 0x5BFD40)($gp)
004EC7F4                 move    $a0, $s0
004EC7F8                 move    $a1, $s1
004EC7FC                 jalr    $t9
004EC800                 li      $a2, 0x10
004EC804                 lw      $gp, 0x40+var_30($sp)
004EC808                 lui     $v0, 0x5B
004EC80C
004EC80C loc_4EC80C:                              # CODE XREF: checkFirmware+A4
004EC80C                 lw      $v0, -0x7770($v0)
004EC810                 nop
004EC814                 beqz    $v0, loc_4EC99C
004EC818                 move    $v0, $0
004EC81C                 lw      $t9, (off_5BA2DC - 0x5BFD40)($gp)
004EC820                 nop
004EC824                 jalr    $t9
004EC828                 nop
004EC82C                 lw      $gp, 0x40+var_30($sp)
004EC830                 bnez    $v0, loc_4EC998
004EC834                 addiu   $s0, $s2, 0x120
004EC838                 beqz    $s0, loc_4EC8B0
004EC83C                 lui     $a0, 0x58
004EC840                 lw      $t9, (off_5B997C - 0x5BFD40)($gp)
004EC844                 nop
004EC848                 jalr    $t9
004EC84C                 nop
004EC850                 lw      $gp, 0x40+var_30($sp)
004EC854                 move    $a1, $v0
004EC858                 lw      $t9, (off_5B8540 - 0x5BFD40)($gp)
004EC85C                 nop
004EC860                 jalr    $t9
004EC864                 move    $a0, $s0
004EC868                 lw      $gp, 0x40+var_30($sp)
004EC86C                 bnez    $v0, loc_4EC8C4
004EC870                 nop
004EC874                 lw      $t9, (off_5B997C - 0x5BFD40)($gp)
004EC878                 nop
004EC87C                 jalr    $t9
004EC880                 nop
004EC884                 lw      $gp, 0x40+var_30($sp)
004EC888                 lui     $a0, 0x58
004EC88C                 lui     $a1, 0x58
004EC890                 lw      $t9, (off_5BA9E8 - 0x5BFD40)($gp)
004EC894                 la      $a0, aSysupfirmware_  # "sysUpfirmware.c:226"
004EC898                 la      $a1, aNotSupportThis  # "not support this country! %s, cur special id %s"
004EC89C                 move    $a2, $s0
004EC8A0                 jalr    $t9
004EC8A4                 move    $a3, $v0
004EC8A8                 b       loc_4EC98C
004EC8AC                 nop

Basically the uBoot loader and httpd function updateFirmware are now checking not just the CRC-MD5, but a new field in the firmware header as well:

           0   1   2   3   4   5   6   7   8   9   A   B  C   D  E   F
0x120 30 30 30 30 30 30 30 30 3B 34 35 35 35 30 30 30
0x130 30 3B

As text this looks like that:

00000000;45550000;

In the previous versions of the firmware this section is NULL.

So what I did was to grab the here published firmware and to add this content on address 0x120, then recalculate checksum, and ... miracle... it was flashed successfully.

I am turning to developers and to wiki maintainers:

Please, add this information to the header compilation utils for TP-Link and update wiki for this particular Firmware Revision.
I guess this subroutine will be ongoing spread through out each and every TP-Link Device. It will not be an an insulated occurrence.

MuruganDurai wrote:

Here you go. This is the .bin file which worked at my router.

Hello Bro... Can I get source code of this image? I want to try to enable OpenFlow In this device...

Please share finished, patched firmware for this router.

(Last edited by Abrikos on 13 Oct 2016, 17:28)

void_runner: , can you share the firmware you flashed?
Thanks a lot

(Last edited by evanzulli on 17 Oct 2016, 20:40)

Guys i just flashed 160325 ... Any ideas how to install openwrt?

Guys,
Sorry for the late response.

evanzulli & evilcorp... grab this bin and flash it if you're with Factory Firmware Ver.160325:
https://80.72.69.186/openwrt-15.05.1-ar … actory.bin

This is the same firmware from a previous post, just slightly modded.

Currently the power led is not working at all. Tried various settings. I guess it is necessary to recompile the kernel with different GPIO setup.

However I do not know what to touch...

One more thing.. be cautious with this bin file. Apparently the Power LED GPIO is not the only incorrect setup.
MInd that the Safe Mode is not working as well..

Will work a bit harder to restore the previous u-boot loader.
Any one could share a dump from /dev/mtd0 for previous version of the stock firmware? (The one < 160325).

Thanks.

If pepe2k is reading... perhaps he'll be able to make a patched u-boot for this chipset/rom/ram combination?

void_runner wrote:

Guys,
Sorry for the late response.

evanzulli & evilcorp... grab this bin and flash it if you're with Factory Firmware Ver.160325:
https://80.72.69.186/openwrt-15.05.1-ar … actory.bin

This is the same firmware from a previous post, just slightly modded.

Currently the power led is not working at all. Tried various settings. I guess it is necessary to recompile the kernel with different GPIO setup.

However I do not know what to touch...

One more thing.. be cautious with this bin file. Apparently the Power LED GPIO is not the only incorrect setup.
MInd that the Safe Mode is not working as well..

Will work a bit harder to restore the previous u-boot loader.
Any one could share a dump from /dev/mtd0 for previous version of the stock firmware? (The one < 160325).

Thanks.

If pepe2k is reading... perhaps he'll be able to make a patched u-boot for this chipset/rom/ram combination?

Uh so is better to not install it? I need luci either..

Lol @void_runner i just installed it and is running really smooth also it have luci you must tell us early smile smile  smile Thanks!!!!

Some logs:
System: http://pastebin.com/S3SpfdEe
Kernel: http://pastebin.com/qTHX2FZQ

I have internet everything is working i think haha smile

Is possible to disable leds to save power?

Also how to limit wifi max speed to 2mb per second?

(Last edited by evilcorp on 28 Oct 2016, 18:43)

Hello, I have some troubles with this firmware.
I want to change TTL, so i "install iptables_mod_ipopt" and use:

iptables -t mangle -I POSTROUTING -o eth1 -j TTL --ttl-set 64

but I get "no chain/target/match by that name" error. "TTL"-target dont exist in "proc/net/ip_tables_targets".
Try to fix it:

insmod xt_NF

from lib/modules/3.18.23, and TTL-target appears, but when i use "iptables" command, router reboted.
Its a kernel problem? WR740N v4 with ddwrt has TTL-target. Or i must install more modules?

(Last edited by ijvans on 2 Nov 2016, 17:55)

For NOOBS

DO NOT UPDATE TP-LINKv6 to latest version version 160325 (TL-WR740N(EU)_V6_160325.zip)

I did not update to latest as I read that its not possible to downgrade etc.

This method is tftp method. I read its much secure. I have done it, it works

enable windows features 
tftp client
telnet client

Download files
tftp util using
sourceforge.net/projects/tftputil/

download prebuilt binary for v6.
google drive
drive.google.com/file/d/0B_w0qR_K-FNeQk … sp=sharing

alternatively 841Nv10
downloads.openwrt.org/chaos_calmer/15.0 … actory.bin

change the header using this tool
sqzk.cqedu.net/tz/s/TP%E8%B7%AF%E7%94%B … %85%B7.exe


Start the TFTP Server
Plug ethernet cable to tp-link router
statically assign ip's as mentioned in blog bkil.blogspot.in/2014/12/tftp-secret-of … vered.html
put v6 openwrt image into root folder of tftp-util (for me it was C:\Program Files (x86)\TFTPUtil)
rename the bin to wr740nv6_tp_recovery.bin

Check if tftp client can download that image (most probably you need to turnoff windows firewall for a while)
Switch on server side log to see the fetch requests

turn off the router and press reset button and turn it on again
This should fetch openwrt binary wr740nv6_tp_recovery.bin, if file not found, will give error
rename the file as required

try again in case of filename or other failure, once the binary if fetched, the router will take 1 minute to write it reboot.

use telnet client to login to (router) 192.168.1.1, change the passwords using passwd command.

Hurrah!

I have done it on v6 (TP-Link WR740N Version 6), working flawlessly

(Last edited by s.sinnur on 4 Nov 2016, 17:54)

Hello. I can't upgrade my tl740n, I use openwrt-15.05.1-ar71xx-generic-tl-wr740n-v06-squashfs-factory.bin and router TPlink say (Please choose a file to upgrade). How I do? my 740n have FV:160325.

Later.

I Upgraded with firmware, openwrt-15.05.1-ar71xx-generic-tl-wr841n-v10-squashfs-factory.bin and raname with  (wr740v6_tp_recovery.bin), it worked, only the led power does't work.

(Last edited by speedway on 11 Nov 2016, 21:02)

Hello to all of you!

I bought TL-WR740N Ver.6.0 yesterday. I tried to install opewrt trough web interface this morning, but after that it looks dead.

The steps, which I made:

1. Download openwrt-15.05.1-ar71xx-generic-tl-wr841n-v10-squashfs-factory.bin
2. Change trough hex editor the following things:
- Change on adress 0x40 - 0x08410010 to 0x07400006
- Compile gcc -Os mktplinkfw.c md5.c -o mktplinkfw
- Execute ./mktplinkfw -i *-factory.bin
- Copy the MD5 on address 0x4C
- Execute again ... now looks fine

RT-TL-WR740N-v6$ ./mktplinkfw -i *-factory.bin
File name              : openwrt-15.05.1-ar71xx-generic-tl-wr740n-v6-squashfs-factory.bin
File size              : 0x002d7ed6 /  2981590 bytes
Version 1 Header size  : 0x00000200 /      512 bytes
Header MD5Sum1         : 46 c1 16 f0 a5 4a c4 4c 63 e8 d9 da 2f 2a e1 ff (ok)
Header MD5Sum2         : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (purpose yet unknown, unchecked here)

Vendor name            : OpenWrt
Firmware version       : r48532
Hardware ID            : 0x07400006 (unknown)
Hardware Revision      : 0x00000001

Kernel data offset     : 0x00000200 /      512 bytes
Kernel data length     : 0x0011f420 /  1176608 bytes
Kernel load address    : 0x80060000
Kernel entry point     : 0x80060000
Rootfs data offset     : 0x00100000 /  1048576 bytes
Rootfs data length     : 0x00218232 /  2196018 bytes
Boot loader data offset: 0x00000000 /        0 bytes
Boot loader data length: 0x00000000 /        0 bytes
Total firmware length  : 0x003c0000 /  3932160 bytes

3. I rename the file to a shorter version, because I found out the the web does not like names with "-".
4. Upgrade procedure looks fine
5. The router is dead

Do you have a clue what I did wrong?

Regards to all of you!

(Last edited by hiperion on 12 Nov 2016, 13:03)

In 841n v9 v10 v11 21dbm at 740n v6 18dbm,why is that? correct in trunk LEDs for 740n v6...

(Last edited by motorolakhv on 19 Dec 2016, 02:24)

Hi Team,

Can someone provide a Noobs instruction on how to get Openwrt FW on WR740N v6.1 with current FW 160325?

Also, Does the Openwrt FW support Multiwan on this device? Has this been tested?

hiperion,

I guess that the firmware you've flashed is not the right one.
Flash the one from the link that I posted:
https://80.72.69.186/openwrt-15.05.1-ar … actory.bin

And tell me if your machine is up & run.
______________________________________

sreenath.87,

Try to flash the firmware from the link from this post.
This is a file with modded header for 160325 and it should work on every wr740n v6
______________________________________

motorolakhv,

First of all this is a firmware meant for 841n, do not expect to work flawlessly on 740n.
I do not know what to touch and modify for tight integration with 740n.
______________________________________

ijvans,

I guess it is a kernel issue.
As I said this is a firmware meant for 841n, and on top of that Chaos Calmer is not very stable (my personal opinion). Tested it on:

  • wr1043nd Ver.2

  • wr740n Ver.4

  • wrt160nl

At a certain point of time and configurations, it simply crashes.
So far I am with Barrier Breaker on all of these devices, and have no issues at all.

However, I am pretty certain that with new models (dated from 2016), CC should be very stable.
Otherwise it would not be in production, right wink

void_runner wrote:

Guys,
One more thing.. be cautious with this bin file. Apparently the Power LED GPIO is not the only incorrect setup.
MInd that the Safe Mode is not working as well..
--------------------
If pepe2k is reading... perhaps he'll be able to make a patched u-boot for this chipset/rom/ram combination?

My bad.
The Safe mode is working correctly. To access Safe mode, continuously press/release the WPS/WiFi Button, not on the reset one.

It seems that pepe2k already have a solution for the bootloader. Will test it and if it is working, will write you a tutorial how to flash his bootloader.

I found the GPIO number responsible for power LED. It is not 0, but 1.

If you like to lid it, open the shell and type:

cd /sys/class/gpio
echo 1 > export
echo out > gpio1/direction

Still looking a way to manage the system known LEDs.

GPIO2 is responsible for the red light on WAN port.

Add to trunk

It seems that pepe2k already have a solution for the bootloader. Will test it and if it is working, will write you a tutorial how to flash his bootloader.

I've tested the U-Boot for WR841n_v10. Unfortunately it is a no go.
The device is not booting.

void_runner wrote:

Will work a bit harder to restore the previous u-boot loader.
Any one could share a dump from /dev/mtd0 for previous version of the stock firmware? (The one < 160325).

I have "fresh" TL-WR740N(UA) Ver.6 with FW 3.16.9 Build 151111 Rel.55708n
I can try to flash it with image from Borromini (page 1, post #4) and then dump /dev/mtd0.
OK?

(Last edited by ravenn on 10 Feb 2017, 22:58)

Hi there,
Please excuse my lack of knowledge in this topic.
Can you please explain more generally how and where can I find the values the should be replaced to change the header and checksum of ANY firmware to make it work with a different hardware model?

This is in reference to post#64. I understand that an image of model 841n is moded so it can be used on 740n V6.
The Google Drive link is given for the same.But here are my queries.
1. Can that image be used to flash using the stock web interface. This is because when I try to do so, I get an error :

Error code: 18005
Upgrade unsuccessfully because the version of the upgraded file was incorrect. Please check the file name.

2.Also the post#64 mentions about the ways to install the image using tftp server, which I am not able to follow. Is there a step by step method to follow this way to flash the image into 740n V6??

P.S.: I also own a tp-link wr740nV6 with stock firmware and would like to flash openWRT for 802.1x wired connection.