TP-Link TL-WR840N v4 and TL-WR841N v13 are simple N300 routers with
5-port FE switch and non-detachable antennas. Both are very similar
and are based on MediaTek MT7628NN (aka MT7628N) WiSoC.
The difference between these two models is in number of available
LEDs, buttons and power input switch.
This work is partially based on GitHub PR#974.
Specification:
- MT7628N/N (580 MHz)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH
- 2T2R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- TL-WR840N v4: 5x LED (GPIO-controlled), 1x button
- TL-WR841N v13: 8x LED (GPIO-controlled*), 2x button, power input
switch
* WAN LED in TL-WR841N v13 is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the green part of the LED.
Factory image notes:
These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device ("0x4"/"0x13" for these devices) but it seems
that anything other than "0" is correct.
We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash.
Tests showed that the GUI upgrade routine copies value of "Additional
Hardware Version" from existing firmware into offset "0x2023c" in
provided file, _before_ storing it in flash. In case of vendor firmware
upgrade files (which all include U-Boot image and two headers), this
offset points to the matching field in kernel+rootfs firmware part
header. Unfortunately, in case of LEDE factory image file which contains
only one header, it points to the offset "0x2023c" in kernel image. This
leads to a corrupted kernel and ends up with a "soft-bricked" device.
The good news is that U-Boot in these devices contains well known tftp
recovery mode, which can be triggered with "reset" button. What's more,
in comparison to some of older MediaTek based TP-Link devices, this
recovery mode doesn't write whole file at offset "0x0" in flash, without
verifying provided file in advance. In case of recovery mode in these
devices, first "0x20000" bytes are always skipped and "0x7a0000" bytes
from rest of the file are stored in flash at offset "0x20000".
Flash instruction:
Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot:
1. Configure PC with static IP 192.168.0.66/24 and tftp server.
2. Rename "lede-ramips-mt7628-tl-wr84...-squashfs-tftp-recovery.bin"
to "tp_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed for around 6-7 seconds, until
device starts downloading the file.
4. Router will download file from server, write it to flash and reboot.
To access U-Boot CLI, keep pressed "4" key during boot.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
As it turned out, some of new MediaTek based TP-Link devices use value
from field at 0x3c offset in version 3 of TP-Link header to specify
"Additional Hardware Version".
Value from this field is validated during regular (GUI) firmware upgrade
on devices like TL-WR840N v4 or TL-WR841N v13. If it's zero (based on
some tests, it seems that firmware will accept anything != 0), errors
like below are printed on console and upgrade fails:
[ rsl_sys_updateFirmware ] 2137: Firmware Additional HardwareVersion
check failed
[ rdp_updateFirmware ] 345: perror:4506
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
TP-Link Archer C58 v1 is a dual-band AC1350 router, based on Qualcomm
QCA9561 + QCA9886. It looks like Archer C59 v1 without USB port.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 6x LED, 3x button
- UART header on PCB, RX, TX at TP4+5 (backside)
QCA9886 wlan needs pre_cal_data file and enable ieee80211 phy hotplug to
patch macaddress.
Flash instruction:
Use "factory" image directly in vendor GUI.
Recovery method:
1. Set PC to fixed ip address 192.168.0.66/24.
2. Download "lede-ar71xx-generic-archer-c58-v1-squashfs-factory.bin" and
rename it to "tp_recovery.bin".
3. Start a tftp server with the file "tp_recovery.bin" in its root
directory.
4. Turn off the router.
5. Press and hold Reset button.
6. Turn on router with the reset button pressed and wait ~15 seconds.
7. Release the reset button and after a short time the firmware should
be transferred from the tftp server.
8. Wait ~30 second to complete recovery.
Flash instruction under U-Boot, using UART:
tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
erase 0x9f020000 +$filesize
cp.b $fileaddr 0x9f020000 $filesize
reset
This commit is based on GitHub PR#1112
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
TP-Link TL-WA855RE v1 is a wall-plug N300 Wi-Fi range extender,
based on Qualcomm/Atheros QCA9533 v2.
Short specification:
- 550/397/198 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 32 MB of RAM (DDR1)
- 4 MB of FLASH
- 2T2R 2.4 GHz
- 2x external antennas
- 2x LED (green and orange in the same package), 2x button
- UART: TP5(TX) and TP4(RX) test points on PCB
Flash instruction: use "factory" image directly in vendor GUI.
Warning: this device does not include any kind of recovery mechanism
in the bootloader and disassembling process is not trivial.
You can access vendor firmware over serial line using:
- login: root
- password: sohoadmin
Image was tested only in EU version of the device, but should work
also with the same device version sold in other countries.
Signed-off-by: Federico Cappon <dududede371@gmail.com>
The sum variable need to be initialised, otherwise it will points to
random stack memory and a bogus image checksum might be calculated.
While at it, fix the segfault in case the product region code isn't
specified and enable compiler warnings which had revealed all the code
issues.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Use the timestamp from the enviroment SOURCE_DATE_EPOCH
if set instead of the build time.
Fixes reproducible builds for certain firmware images.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
This adds the necessary firmware layout definitions for the Archer C25.
It has an addtional partition containing some static data ("extra-para")
without which no factory flash is possible, therefore put_data() has been
added.
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
TP-Link TL-WR942N v1 is a 2.4 GHz single-band N450 router, based on
Qualcomm/Atheros QCA9561.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x USB 2.0
- 11x LED (most are controlled by 74HC595)
- 2x button
- UART header on PCB*
* Serial console is disabled in OEM non-beta firmwares and corresponding
GPIO pins 14 and 15 are assigned to control USB1 and USB2 LEDs by
production (non-beta) U-Boot and firmware.
Currently not working:
1. USB1 and USB2 LEDs if UART RX and TX pins are assigned to their GPIOs
by some U-Boot versions.
Flash instruction under vendor GUI:
1. Download "lede-ar71xx-generic-tl-wr942n-v1-squashfs-factory.bin".
2. Go to WEB interface and perform usual firmware upgrade.
FLash instruction under U-Boot recovery mode (doesn't work in beta
firmware):
1. Setup PC with static IP "192.168.0.66/24" and tftp server.
2. Change "*-factory" image filename to "WR942v1_recovery.bin" and make
it available to download from your tftp server.
3. Press "reset" button and power up the router, wait till "WPS" LED
turns on.
Flash instruction under U-Boot, using UART (can be done only with
preinstalled UART-enabled U-Boot version!):
1. Use "tpl" to stop autobooting and obtain U-Boot CLI access.
2. Setup ip addresses for U-Boot and your tftp server.
3. Issue below commands:
tftp 0x81000000 lede-ar71xx-generic-tl-wr942n-v1-sysupgrade.bin
erase 0x9f020000 +$filesize
cp.b 0x81000000 0x9f020000 $filesize
reset
Signed-off-by: Serg Studzinskii <serguzhg@gmail.com>
[minor code style fixes, extended commit message]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Some TP-Link routers (C25, C59, C60) contain a version string instead
of a binary structure in the soft_version partition.
Flashing LEDE from the original firmware's GUI, this version string
taken from the soft_ver partition of the firmware image is written to
the router's config partition.
When using tftp recovery to go back to the original Archer C25 firmware,
a version check compares that version to the version of the firmware to
be flashed.
Without proper contents in the config partition, reverting to the
original firmware fails.
Therefore, write the string "soft_ver:1.0.0\n" to that soft_ver
partition.
Signed-off-by: Jan Niehusmann <jan@gondor.com>
TP-Link TL-WA850RE v2 is a wall-plug N300 Wi-Fi range extender,
based on Qualcomm/Atheros QCA9533 v2.
Short specification:
- 550/391/195 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 32 MB of RAM (DDR1)
- 4 MB of FLASH
- 2T2R 2.4 GHz
- 2x internal antennas (embedded on PCB)
- 9x LED (all can be turned off with GPIO15), 2x button
- UART (J3) header on PCB
Flash instruction: use "factory" image directly in vendor GUI.
Warning: this device does not include any kind of recovery mechanism
in the bootloader and disassembling process is not trivial.
You can access vendor firmware over serial line using:
- login: root
- password: sohoadmin
Image was tested only in US version of the device, but should work
also with the same device version sold in other countries.
Available FLASH space, with LEDE trunk, is only 240 KB.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
some of Buffalo DHP series use slightly different trx magic, buffalo-enc,
buffalo-tag, and factory image begin with 'bgn'.
this patch adds support for building those images.
Signed-off-by: FUKAUMI Naoki <naobsd@gmail.com>
TP-Link Archer C59v1 is a dual-band AC1350 router, based on Qualcomm/Atheros
QCA9561+QCA9886.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- USB 2.0 port
- 8x LED (controled by 74HC595), 3x button
- UART header on PCB
TP-Link Archer C60v1 is a dual-band AC1350 router, based on Qualcomm/Atheros
QCA9561+QCA9886.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 7x LED, 2x button
- UART header on PCB
Currently not working:
- Port LAN1 on C59, LAN4 on C60
- WiFi 5GHz (missing ath10k firmware for QCA9886 chip)
- Update from oficial web interface ( tplink-saveloader not support "product-info")
Flash instruction:
1. Set PC to fixed ip address 192.168.0.66
2. Download lede-ar71xx-generic-archer-cXX-v1-squashfs-factory.bin
and rename it to tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.
Flash instruction under U-Boot, using UART:
1. tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
2. erase 0x9f020000 +$filesize
3. cp.b $fileaddr 0x9f020000 $filesize
4. reset
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
[Jo-Philipp Wich: remove duplicate ATH79_MACH_ARCHER_C59/C60_V1 entries]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The firmware image that is used in TP-Link RE450 (and some more devices from
the RE series) is tplink-safeloader.
In the kernel partition, the kernel is compressed in a regular tp-link
firmware that is just used for booting. Since it is only used for compressing
and booting, only four fields are filled in the header:
Vendor, version, kernel load address and kernel entry point.
mktplinkfw-kernel is a simpler version of mktpolinkfw that generate such
images. It also specifies the hardware id (as it is in the product info
section), so when doing a sysupgrade - the existing code will check for
hardware compatibility.
Signed-off-by: Tal Keren <kooolk@gmail.com>
[rd@radekdostal.com: add build target to .../image/tp-link.mk]
Signed-off-by: Radek Dostál <rd@radekdostal.com>
The TL-WR1043ND v4 uses a kernel image with a mktplinkfw header inside the
os-image partition of a tplink-safeloader image.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
In order to make it easier to add new boards in the future, refactor the code
to describe the image layouts of supported boards in a struct array and alter
the image generation routines to figure out the sysupgrade partitions
automatically.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Adds support for new EU and US variants; removes a few strings that were
never actually used and have been removed from the stock firmwares.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Our current implementation is pretty old and uses some pre-standard/old
ANSI C style that triggers warnings like:
warning: call to function 'MD5_Init' without a real prototype [-Wunprototyped-calls]
This is caused by declarations specified in a following way:
src/md5.h:60:6: note: 'MD5_Init' was declared here
void MD5_Init ();
Having these warnings makes it harded to notice real problems. We could
try hiding them but it makes more sense to just use a cleaner code.
Another tiny gain from this switch is slightly reduced binary size, on
x86_64 tplink-safeloader's size 48104 became 48003.
The new code is public domain, uses "heavily cut-down BSD license".
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Earlier compilers such as GCC 4 do not like anynomous unions, make it a named
union "u", and update the code where relevant.
Fixes FS#298
Fixes: a72e1692b8 ("firmware-utils: Add support for the Cisco Meraki MX60/MX60W")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This patch adds header support for the Cisco Meraki MX60/MX60W, which
are a part of the apm821xx target. Some structure changes were needed
due to the fact this device uses U-Boot (unlike other devices in
mkmerakifw.c) which uses a different header structure to define the load
offsets for the image.
A thanks to Christian for helping implement this properly.
Cc: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Recent refactoring introduced a regression. It ignored second argument
of make_support_list function which was originally true for C2600. The
new generic build_image function always passes false.
This patch allows specifying trailing char in a device specific info. It
also switches Archer C9 to the \0 char to make it compliant with vendor
images.
I verified generated images to be binary identical to the ones that
were created before whole refactoring.
Reported-by: Jo-Philipp Wich <jo@mein.io>
Fixes: fd924d2068 ("firmware-utils: tplink-safeloader: use one function for generating images")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Looking into /usr/include/stdlib.h, there's a `devname()` function defined
under some #ifdef's which conflicts with the `static char *devname` definition
in `src/mkwrggimg.c`.
Defining `_ANSI_SOURCE` in the `src/mkwrggimg.c` file, omits that part of the
header.
Another more intrusive approach is to rename `devname` to something like
`g_devname` in `src/mkwrggimg.c`. But I think the `_ANSI_SOURCE` define should
be enough.
Compilation error is:
src/mkwrggimg.c:64:14: error: redefinition of 'devname' as different kind of symbol
static char *devname;
^
/usr/include/stdlib.h:286:7: note: previous definition is here
char *devname(dev_t, mode_t);
^
src/mkwrggimg.c:147:12: error: non-object type 'char *(dev_t, mode_t)' (aka 'char *(int, unsigned short)') is not assignable
devname = optarg;
~~~~~~~ ^
src/mkwrggimg.c:192:6: warning: comparison of function 'devname' equal to a null pointer is always false [-Wtautological-pointer-compare]
if (devname == NULL) {
^~~~~~~ ~~~~
src/mkwrggimg.c:192:6: note: prefix with the address-of operator to silence this warning
if (devname == NULL) {
^
&
src/mkwrggimg.c:251:27: warning: incompatible pointer types passing 'char *(dev_t, mode_t)' (aka 'char *(int, unsigned short)') to parameter of type 'const char *' [-Wincompatible-pointer-types]
strncpy(header->devname, devname, sizeof(header->devname));
^~~~~~~
/usr/include/secure/_string.h:119:34: note: expanded from macro 'strncpy'
__builtin___strncpy_chk (dest, src, len, __darwin_obsz (dest))
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
[Jo-Philipp Wich: slightly reformat commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some gcc versions seem to miscompile code using ternary operators,
work around this by just returning the result if exp is 0.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
TP-Link has changed the way the region is stored in the firmware header,
and now provides US- and EU-specific images for the Archer C7. Adding the
new region codes is necessary to make LEDE/OpenWrt flashable on devices
with the new stock firmwares again.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The CPE210 was still described for the OEM upgrade as compatible,
even the wireless configuration isn't compatible anymore between
both series (2ghz and 5ghz).
Update the CPE210 image profile to use the new profile.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
