wiki:Routers/TP-LINK/FlashMemory
Last modified 5 years ago Last modified on 03/03/2013 07:37:52 PM

Flash memory on TP-Link devices

These information is valid at the moment only for TP-Link WR741ND v4, but most of TP-Link routers should employ the same design.

Restoring the bootloader

The following procedure can be used to restore a completely bricked router with a corrupted bootloader. Symptoms for wr741nd in such state are easy to recognize, only the power LED comes on, the two right most LED are dimly lit.

The main cause of this is upgrading with the wrong version of TP-Link firmware, disregarding the warning displayed on their website. Procedure can come in handy for development purposes.

TP-Link wr741nd firmware download page notice that must be disregarded to produce such an error:

If your firmware version is 110825, please upgrade 111130 first then upgrade this version 120320. Or your device can be damaged.

For very advanced users only! Requires SMD soldering and reworking. Developed by: Musti

Tools

Dangerous Prototypes Buspirate v3 is used to access the SPI bus. The

Flashrom is used with BusPirate to read/write the flash. Tested under windows with a precompiled binary, but should work as well under other operating systems. Please note that the procedure is very slow. Reading 4MB memory will take about 10-15min, writing it significantly longer (reads the old, writes the new, reads the new).

Hardware

Flash memory needs to be de-soldered from the router and connected to the Bus Pirate either using a dead-bug method or soldering the chip onto a breakout board. ISP (in-circuit) programming is LIKELY NOT possible, as the processor holds the memory in disabled state when not using it and in reset state.

Connect wires as specified in the flash memory datasheet. Make sure you pull disable and write protect lines high/low, to enable writing.

Flash memory type

WR741NDv4 uses Spansion S25FL032P flash memory in SO 8pin package, for communication SPI bus is used.

Dumping SPI flash RDID for testing the communication and verification of connections using Bus Pirate as a standalone device.

SPI>[ 0x9f r:70]
[ 0x9f r:70]
/CS ENABLED
WRITE: 0x9F 
READ: 0x01 0x02 0x15 0x4D 0x00 0x00 0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x51 0x52 0x59 0x02 0x00 0x40 0x00 0x00 0x00 0x00 0x00 0x27 0x36 0x00 0x00 0x0B 0x0B 0x09 0x0F 0x01 0x01 0x02 0x01 0x16 0x05 0x05 0x08 0x00 0x02 0x1F 0x00 0x10 0x00 0x3D 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xFF 0xFF 0xFF 0x50 0x52 0x49 0x31 0x33 0x15 
/CS DISABLED

Dumping flash memory

Using Flashrom and the following command, memory will be dumped in the specified file.

flashrom -p buspirate_spi:dev=COM12,spispeed=1M -r test.txt

Here is a flash dump from TP-Link wr741nd v4.3, you may use it to restore bootloader and firmware partitions, but do not copy others as your MAC address and WiFi calibration info will be lost.

Getting flash memory map

This can be done on a working router with u-boot, running the command printenv, the output will include:

bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),2752k(rootfs),896k(uImage),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f020000

The memory map can be drawn from this info, such as:

0:256k(uboot),256k:321k(u-boot-env),321k:3037k(rootfs),3037k:3969k(uImage),3969k:4033k(NVRAM),4033k:4097k(ART)

Flash (ROM) layout map

Flashrom compatible layout map for WR741ND is defined as startaddr:endaddr name, addresses being the offsets from zero.

00000000:0003ffff uboot
00040000:0004ffff u-boot-env
00050000:002fffff rootfs
00300000:003dffff uImage
003e0000:003effff NVRAM
003f0000:00400000 ART

Replacing firmware and bootloader from factory image

Take the HEX editor of choice and perform the following operations.

  • Obtain the factory firmware with bootloader (TP-Link does that) - FW size must be the same as memory map up to NVRAM.
  • Obtain the router flash dump.
  • Remove first 0x100 bytes (up to and including byte 0xff) from factory firmware to get rid of the header.
  • Copy and paste replace bytes in the flash dump by factory firmware without the header.
  • Save and transfer the new firmware into flash and hope for the best.

You can do this only for the bootloader section, once that runs rootfs can be uploaded later. u-boot-env variables need to be correctly configured from ART table. A better method is using a layout map in flashrom, needs to be tested first though.

Replacing the bootloader from another identical router

This method can have greater success rate as the factory firmware might have changed/be corrupted or so.

  • Perform flash dump from a working router.
  • Create rom.layout text file containing the partition map.
  • Restore the desired partitions from flash dump using the command:
flashrom -p buspirate_spi:dev=COM12,spispeed=2M -w workingFlash.bin -l rom.layout -i uboot -i u-boot-env

This writes the specified partitions of workingFlash.bin as defined by rom.layout to the target flash.

Now perform your favorite tftp or other method.

https://forum.openwrt.org/viewtopic.php?id=39180

https://forum.openwrt.org/viewtopic.php?id=28852

http://flashrom.org/Flashrom

Attachments