Flashing OpenWRT on TPlink 703n v1.7

Submitted by gerry on Mon, 11/10/2014 - 12:04

I recently bought a TPLink WR703n as they are a nice, inexpensive, and very hackable little device. I have a few projects in mind for this, including playing with Hak.5's Wifi Pineapple. Pretty much all the hacks require flashing with OpenWRT.

When I started my research, I discovered that some versions of the 703n can be bricked by OpenWRT. They are not actually fully bricked, as in completely unresponsive, but they boot with the LAN disabled, and therefore are uncontactable. It is possible to recover using the serial port, but this requires a bit of soldering, and is really not for the faint-of-heart.

The hardware that is susceptible is version 1.7. To add further complication, some devices that are labelled 1.6, are in fact really 1.7 devices under the hood. As a result, it is important to do a bit of probing to see what the actual version is. A couple of different scenarios may exist - 

1. If the device is running the original Chinese firmware, the build version reading as follows -  "Build 120925" will correspond to a v1.7 firmware.

2. If the device is shipped with dd-wrt pre-installed, it is possible to login over telnet The default login/password are root/admin. Once logged in, the following command will list the version - 

# grep -a U-Boot /dev/mtd0ro | cut -d'I' -f1     

A version 1.7 can be identified by a build date Sep 25 2012.

In my case, to further complicate the situation, the build version was -

U-Boot 1.1.4 (Jun 19 2013 - 21:54:34)

The usual 1.7 build id is 121204, there are some 1.6 builds reported as 130318 and 130321, whereas this is 130625. As a result, I I figured the prudent thing to do would be to flash a version of OpenWRT that would ensure compatibility with 1.7, while retaining compatibility with earlier hardware. The version that meets these criteria is the 12-09 build of OpenWRT - Attitude Adjustment branch. This can be downloaded from here: http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/op...

While doing my research, I came across the failsafe uboot project. The purpose of this is to provide a featureful recovery system to help with those failed flashes and other brick-generating events. I decided to go ahead and flash this image also. I came across a post on OpenWRT discussing an interesting uboot with a web-gui failsafe mode. The thread is here: https://forum.openwrt.org/viewtopic.php?id=43237

The code repo for the uboot is here: https://github.com/pepe2k/u-boot_mod

A precompiled binary for the 703n can be downloaded here: https://app.box.com/s/z13rrr8v8vdu70la67jn

Once downloaded, the image needs to be modified. The MAC address of the router needs to be inserted. Thankfully, though, scripts exist to do this.
I will reproduce a script from here for convenience:

#! /bin/sh
#high chance need have a change ...
UBOOT_NAME=wr703n_tuboot_test_2012_06_06.bin
MD5SUM_SHOULD_BE="623dc0bba6fab68c22e5fb2f329d7d09"
#need check the md5sum,any one byte in bootloader shoud right ...
CURRENT_MD5SUM_VAL=$( md5sum $UBOOT_NAME |awk '{print $1 }' )
echo "$UBOOT_NAME md5sum : $CURRENT_MD5SUM_VAL"
if [ $MD5SUM_SHOULD_BE = $CURRENT_MD5SUM_VAL ]; then
  echo "$UBOOT_NAME md5sum check pass"
else
  echo "###############$UBOOT_NAME md5sum check fail###############"
  exit
fi
RAW_UBOOT_LEN=`wc -c $UBOOT_NAME | awk '{print $1 }'`
NEED_PAD_LEN=$((0x1fc00-$RAW_UBOOT_LEN))
#Generate a file used as pad ...
dd if=/dev/zero of=pad.bin bs=1 count=$NEED_PAD_LEN
cat $UBOOT_NAME pad.bin >tuboot_0x1fc00.bin
echo "Backup some config first,just like MAC address ..."
dd if=/dev/mtd0 of=./config.bin bs=1 skip=$((0x1fc00))
cat ./tuboot_0x1fc00.bin ./config.bin >uboot_0x20000.bin

This script needs to be run on the router, as it pulls data from the existing uboot. The script will create uboot_0x20000.bin, which is the file we want to flash. Prior to running, UBOOT_NAME and MD5SUM_SHOULD_BE need to be updated to the values for your downloaded binary.

The commands I ran to update the image and flash it are as follows. My commands in bold.

root@DD-WRT:~/flash# sh update-image.sh
64512+0 records in
64512+0 records out
Backup some config first,just like MAC address ...
1024+0 records in
1024+0 records out


root@DD-WRT:~/flash# ls
config.bin               pad.bin                  tuboot_0x1fc00.bin       
uboot_0x20000.bin        uboot_for_tl-wr703n.bin  update-image.sh


root@DD-WRT:~/flash# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00010000 "RedBoot"
mtd1: 003c0000 00010000 "linux"
mtd2: 002e0000 00010000 "rootfs"
mtd3: 00020000 00010000 "ddwrt"
mtd4: 00010000 00010000 "nvram"
mtd5: 00010000 00010000 "board_config"
mtd6: 00400000 00010000 "fullflash"
mtd7: 00020000 00010000 "fullboot"


root@DD-WRT:~/flash# mtd write uboot_0x20000.bin mtd0
Unlocking mtd0 ...
Writing from uboot_0x20000.bin to mtd0 ...  [w]


root@DD-WRT:~/flash# grep -a U-Boot /dev/mtd0ro | cut -d'I' -f1
U-Boot 1.1.4 (Jun 19 2013 - 21:54:34)
7▒AP121 (AR9331) U-Boot for TL-WR703N
root@DD-WRT:~/flash#

Once this is completed, we can continue in to flash the firmware. I downloaded it from here  http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/op... to a local webserver and downloaded to the router from there. I renamed it to something shorter while doing this.
Sequence of commands below... my input in bold.

root@DD-WRT:/tmp# wget http://192.168.1.222/files/openwrt.bin
Connecting to 192.168.1.222 (192.168.1.222:80)
openwrt.bin          100% |
**************************************************************************
**************************************************************************
*******|  3840k  0:00:00 ETA

root@DD-WRT:/tmp# mtd -r write openwrt.bin linux
Unlocking linux ...
Writing from openwrt.bin to linux ...  [w]
Connection to 192.168.1.1 closed by remote host.
Connection to 192.168.1.1 closed.


root@erdos:~ $ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
 ------------------------------------------


BusyBox v1.19.4 (2013-03-14 11:28:31 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 ATTITUDE ADJUSTMENT (12.09, r36088)
 -----------------------------------------------------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
root@OpenWrt:/#

Success!

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.