A colleague at work had this TL-WR741ND TP-Link router, and being a tinkerer like me, he had already flashed it with OpenWRT. He tried to flash back the original firmware but it somehow backfired and then he had this failing OpenWRT router that wasn’t working properly.
I couldn’t telnet to the router to get a terminal, even in failsafe mode. I couldn’t also get the web interface up on 192.168.1.1 using the browser. Only one more thing remained: teardown the router, access the board, look for that serial port and hook in an RS232 to USB and we have a terminal. I wanted to just flash the original TP-Link firmware and be done with it, get it working again.
Here are the steps I followed:
- Download the firmware:
wget http://www.tp-link.com/resources/software/201011814560814.zip unzip 201011814560814.zip
- rename the bin file, for ease of typing…
mv wr741nv1_en_3_12_4_up(100910).bin tplink.bin
- Open up the router, unsolder the external antennae cable for ease of board removal,
Solder 4 pin serial port header.
Connect an RS232 to USB(TTL) cable:
Yellow: RxD (connect a 10K res as pull-up if you don’t receive anything)
- install gtkterm:
sudo apt install gtkterm
- connect the RS323 to USB cable to the PC and give permissions
sudo chmod 777 /dev/ttyUSB0
- run gtkterm GUI and open the port /dev/ttyUSB0 with the following config
stop bits: 1
Famously known as 8-N-1
- Plugin the power cable on the router motherboard. it should boot up and messages appear on the serial console. Press enter key to enter the console. You can now type in commands.
\00[ 37.050000] SysRq : HELP : loglevel(0-9) reBoot Crash terminate-all-tasks(E) memory-full-oom-kill(F) kill-all-tasks(I) thaw-filesystems(J) show-memory-usage(M) nice-all-RT-tasks(N) powerOff show-registers(P) show-all-timers(Q) Sync show-task-states(T) Unmount show-blocked-tasks(W) \FA BusyBox v1.19.4 (2014-08-17 22:32:49 MSK) built-in shell (ash) Enter 'help' for a list of built-in commands. -= Welcome to WiFi-Scales by T-plus =- root@WiFi-Scales:/#
What in the name of firmwares is WiFi-Scales??
Set root password and open up ssh port 22 in the serial terminal with the commands:
root@WiFi-Scales:/#(echo "p@ssw0rd"; sleep 1; echo "p@ssw0rd") | passwd root root@WiFi-Scales:/#uci set dropbear.@dropbear=dropbear root@WiFi-Scales:/#uci set dropbear.@dropbear.Port=22 root@WiFi-Scales:/#uci set dropbear.@dropbear.RootPasswordAuth=on root@WiFi-Scales:/#uci set dropbear.@dropbear.PasswordAuth=on root@WiFi-Scales:/#uci commit dropbear
Restart DropBear to effect the change
You can read about the Unified Configuration Interface(UCI) system here
- check the router ip address with ifconfig on serial terminal, I got 192.168.10.1 no wonder I couldn’t access the web interface at 192.168.1.1 but even then, I set my PC IP address to 192.168.10.10 and gateway to 192.168.10.1 and mask 255.255.255.0 and still no web interface access.Copy the binary over to the router’s tmp directory from the PC’s terminal:
scp tplink.bin email@example.com:/tmp
- use mtd to write the firmware partition with the binary file, on the router’s serial terminal
root@WiFi-Scales:/#mtd -r write /tmp/tplink.bin firmware
It will automatically reboot the new (original TP-Link) firmware with default settings
Unlocking firmware ... Writing from /tmp/tplink.bin to firmware ... [ ][e][w][e][w][e][w][e][w][e]... Rebooting ... Terminated root@WiFi-Scales:/# [ 1142.500000] Restarting system. U-Boot 1.1.4 (Nov 16 2009 - 01:05:59) AP91 (ar7240) U-boot DRAM: sri #### TAP VALUE 1 = 9, 2, 9 32 MB id read 0x100000ff flash size 4194304, sector count = 64 Flash: 4 MB Using default environment In: serial Out: serial Err: serial Net: ag7240_enet_initialize... No valid address in Flash. Using fixed address : cfg1 0xf cfg2 0x7014 eth0: 00:03:7f:09:0b:ad eth0 up No valid address in Flash. Using fixed address : cfg1 0xf cfg2 0x7214 eth1: 00:03:7f:09:0b:ad ATHRS26: resetting s26 ATHRS26: s26 reset done eth1 up eth0, eth1 Autobooting in 1 seconds ## Booting image at 9f020000 ... OK Starting kernel ... Booting AR7240(Python)... Linux version 2.6.15--LSDK-18.104.22.1680 gcc version 3.4.4 #1 Fri Sep 3 12:31:04 CST 2010 flash_size passed from bootloader = 4 CPU revision is: 00019374 Determined physical RAM map: memory: 02000000 @ 00000000 (usable) User-defined physical RAM map: memory: 02000000 @ 00000000 (usable) Built 1 zonelists ...
Access router on the browser and set it up:
On the serial port console:
Serial terminal output
TL-WR741N mips #1 Fri Sep 3 12:31:04 CST 2010 (none) TL-WR741N login: root Password: Jan 1 00:25:00 login: root login on 'ttyS0' BusyBox v1.01 (2010.09.03-04:20+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. #