Flash memory on TP-Link devices
These information is valid at the moment only for TP-Link WR741ND v4, but most of TP-Link routers should employ the same design.
Restoring the bootloader
The following procedure can be used to restore a completely bricked router with a corrupted bootloader. Symptoms for wr741nd in such state are easy to recognize, only the power LED comes on, the two right most LED are dimly lit.
The main cause of this is upgrading with the wrong version of TP-Link firmware, disregarding the warning displayed on their website. Procedure can come in handy for development purposes.
TP-Link wr741nd firmware download page notice that must be disregarded to produce such an error:
If your firmware version is 110825, please upgrade 111130 first then upgrade this version 120320. Or your device can be damaged.
For very advanced users only! Requires SMD soldering and reworking. Developed by: Musti
Dangerous Prototypes Buspirate v3 is used to access the SPI bus. The
Flashrom is used with BusPirate to read/write the flash. Tested under windows with a precompiled binary, but should work as well under other operating systems. Please note that the procedure is very slow. Reading 4MB memory will take about 10-15min, writing it significantly longer (reads the old, writes the new, reads the new).
Flash memory needs to be de-soldered from the router and connected to the Bus Pirate either using a dead-bug method or soldering the chip onto a breakout board. ISP (in-circuit) programming is LIKELY NOT possible, as the processor holds the memory in disabled state when not using it and in reset state.
Connect wires as specified in the flash memory datasheet. Make sure you pull disable and write protect lines high/low, to enable writing.
Flash memory type
WR741NDv4 uses Spansion S25FL032P flash memory in SO 8pin package, for communication SPI bus is used.
Dumping SPI flash RDID for testing the communication and verification of connections using Bus Pirate as a standalone device.
SPI>[ 0x9f r:70] [ 0x9f r:70] /CS ENABLED WRITE: 0x9F READ: 0x01 0x02 0x15 0x4D 0x00 0x00 0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x51 0x52 0x59 0x02 0x00 0x40 0x00 0x00 0x00 0x00 0x00 0x27 0x36 0x00 0x00 0x0B 0x0B 0x09 0x0F 0x01 0x01 0x02 0x01 0x16 0x05 0x05 0x08 0x00 0x02 0x1F 0x00 0x10 0x00 0x3D 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xFF 0xFF 0xFF 0x50 0x52 0x49 0x31 0x33 0x15 /CS DISABLED
Dumping flash memory
Using Flashrom and the following command, memory will be dumped in the specified file.
flashrom -p buspirate_spi:dev=COM12,spispeed=1M -r test.txt
Getting flash memory map
This can be done on a working router with u-boot, running the command printenv, the output will include:
bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),2752k(rootfs),896k(uImage),64k(NVRAM),64k(ART) bootcmd=bootm 0x9f020000
The memory map can be drawn from this info, such as:
Flash (ROM) layout map
Flashrom compatible layout map for WR741ND is defined as startaddr:endaddr name, addresses being the offsets from zero.
00000000:0003ffff uboot 00040000:0004ffff u-boot-env 00050000:002fffff rootfs 00300000:003dffff uImage 003e0000:003effff NVRAM 003f0000:00400000 ART
Replacing firmware and bootloader from factory image
Take the HEX editor of choice and perform the following operations.
- Obtain the factory firmware with bootloader (TP-Link does that) - FW size must be the same as memory map up to NVRAM.
- Obtain the router flash dump.
- Remove first 0x100 bytes (up to and including byte 0xff) from factory firmware to get rid of the header.
- Copy and paste replace bytes in the flash dump by factory firmware without the header.
- Save and transfer the new firmware into flash and hope for the best.
You can do this only for the bootloader section, once that runs rootfs can be uploaded later. u-boot-env variables need to be correctly configured from ART table. A better method is using a layout map in flashrom, needs to be tested first though.
Replacing the bootloader from another identical router
This method can have greater success rate as the factory firmware might have changed/be corrupted or so.
- Perform flash dump from a working router.
- Create rom.layout text file containing the partition map.
- Restore the desired partitions from flash dump using the command:
flashrom -p buspirate_spi:dev=COM12,spispeed=2M -w workingFlash.bin -l rom.layout -i uboot -i u-boot-env
This writes the specified partitions of workingFlash.bin as defined by rom.layout to the target flash.
Now perform your favorite tftp or other method.