You are here: OpenWrt Wiki » Table of Hardware » TP-Link » TP-Link TL-WR703N

TP-Link TL-WR703N

The TL-WR703N is marketed as a "3G travel router". It does not include a 3G modem - it simply means that the OEM firmware supports USB 3G modems, and that the oem firmware contains drivers for USB modems! Ridiculous, since with OpenWrt ANY router with USB supports 3G hardware… ;-)

The device was released in August 2011 in China.

The device is very similiar to the TL-MR3020.

Supported Versions

Version/Model	Launch Date	OpenWrt Version Supported	Model Specific Notes
v1.0	August 2011	Trunk (r28294)	Confirmed working
v1.2		Trunk (r29330)	Confirmed working
v1.3		Trunk (29283)	Confirmed working
v1.5	December 2011	Trunk	Confirmed working
v1.6	April 2013	Trunk (r36145)	Confirmed working
v1.7	December 2012	AA(12.09)	AA confirmed working, trunk (r36641) broken

Unlike many newer TP-Link devices, there appears to be no hardware differences between the version for the Chinese market and the version for the international market.

It was the first device that utilised the AR9331 chipset to be ported to OpenWrt. Newer TP-Link devices (such as the TL-WR741ND v4.x also use AR9331).

Features

Atheros AR7240 CPU (400Mhz)
Atheros AR9331 Chipset (integrated wireless)
802.11 b/g/n 150Mbps (130Mbps real)
wireless power output 20dBm - 100mW
4 MB flash memory
32 MB RAM
USB 2.0 port (High-Speed only, use an external High-Speed hub for Full/Low-Speed devices)
Powered via micro-USB socket
Tiny form factor: 5.7cm x 5.7cm x 1.8cm

Installation

Please see generic.flashing for a generic description of the OpenWrt installation process.

Warnings / Gotchas

Please check the firmware version first, either:

in the Chinese webadmin interface: "Build 120925" correspond to a v1.7 firmware
on the internal sticker located on the Ethernet jack (may have 12B042)
DO NOT RELY ON THE VERSION GIVEN BY THE EXTERNAL STICKER ON CASE BOTTOM : it may report falsely "1.6", even if the firmware is actually a V1.7

WARNING If you have a V1.7 firmware, current OpenWrt trunk (r36641) will brick your router, unless you have access to the serial console!

Below is the version of the new bootloader (which disables the LAN port) of a version 1.7 hardware model (bought in December 2012).

	 
root@tpl2:~# grep -a U-Boot /dev/mtd0ro | cut -d'I' -f1	 
U-Boot 1.1.4 (Sep 25 2012 - 09:04:47)

For more info visit this forum topic: https://forum.openwrt.org/viewtopic.php?id=40986

Power consumption

This router is standardly powered via USB at 5V. The voltage regulator inside is unknown, but its input voltage should be at least between 3.7V - 5.5V, but not over 5.5V. The device will get damaged at too high voltages*. Maximum current draw at 5V is 185mA (OpenWrt boot), average current draw with WiFi at 18dBm is 100mA, without WiFi 80mA. Hence the average router power consumption is 0.5W, which is incredibly low.

Power consumption will be higher if a USB device is attached to its USB port!

*Hint: If the router seems to be damaged because of a too high voltage, connect 3.3V _after_ the voltage regulator. This resets an electrical fuse or something, and the router works again.

Serial console

The serial console connector does not utilise the regular TP-Link pinouts. Two pads labelled TP_OUT and TP_IN are the TX and RX signals. 115200 8n1

Note that the pads can very easily be lifted. There is slightly more mechanical strength if you can solder to the surface-mount components to which the pads are connected–but this also takes care–your device could easily be destroyed. Make sure that your connection is secured so that tension cannot be applied to the solder points when you connect to an external device.

Flashing

Upload the latest snapshot via the web interface (default: 192.168.1.1 / admin / admin).

Download latest squashfs-factory.bin or squashfs-sysupgrade.bin firmware for WR703N.

Note that the factory default web interface won't accept a file with a long name. Rename it to openwrt.bin and you won't get a "23002 Error".

For systems without a web interface, you can flash a sysupgrade file with mtd:

cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin
sysupgrade openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin
reboot

To flash from the Chinese web interface, at the present time you would select the last menu item on the left, and then the third submenu item. This initiates a popup with two buttons–the upper right one allows you to browse to find the file you want to flash on your PC, the lower left one initiates the flash.

When you roll over an item on the Chinese web interface, the rollover text will indicate which item you are selecting.

Failsafe mode

When the configuration no longer allows you to log in via any network connection (e.g. lost password), the OpenWrt failsafe mode can be entered via the single "Reset" button on the device. However, in contrast to the generic failsafe instructions, for the TL-WR703N you have to wait for ca. 10 (10-12) seconds before pushing the "Reset" button after powering on the device. If the button is pushed immediately after powering on, the single blue LED will start blinking, supposedly indicating some failsafe firmware recovery mody of the embedded bootloader (not yet discovered how to use it). In this mode, the OpenWrt failsafe is not being started. Instead, wait for slightly longer than 10 seconds and - as soon as the LED starts blinking for the first time after powering on the device, push the "Reset" button for ca. 1-2 seconds. Immediately afterwards, the LED will blink rapidly (multiple Hz) and OpenWrt will be in failsafe mode.
- The above didn't work on a Ver 1.6 box running OpenWRT r33312. To get into failsafe mode, power up the device and wait until the LED starts flashing (about 2Hz). Once it starts flashing (within about 4 seconds) then quickly press the button. The LED will then flash much faster and the device will be in failsafe mode.

Back to original image

Setup serial console 115200 8n1
Enter "tpl" as soon as U-Boot announces "Autobooting in 1 seconds"
Download the original image: http://www.tp-link.com.cn/download/2011930104462.rar extact to tftp folder
Setup your eth0 to 192.168.1.100, you can check detail by 'printenv'
Run blow command under U-Boot:

tftpboot 0x81000000 wr703nv1_cn_3_12_11_up(110926).bin
erase 0x9f020000 +0x3c0000
cp.b 0x81000000 0x9f020000 0x3c0000
bootm 9f020000

Instructions on the forum for flashing wr703n with mr3020 firmware which is in english and not in chinese.
Detailed instructions on the forum for flashing

Unbrick Tutorial with TFTP and Serial

Internal images

You can see the serial connector labeled TP_IN and TP_OUT on the bottom right. GND is right next to it on the right pin of C55.

AN1 on the bottom right is the strip antenna for wifi.

Hi Res images here : https://plus.google.com/u/0/photos/107211980242732541247/albums/5737162394063705409/5737162392085444242

Hardware summary

	IC	Info	Datasheet
Processor	AR7240		Click
Flash ROM	Eon EN25Q32B		Click
SDRAM	Zentel A3S56D40FTP
Chipset (Wi-Fi controller)	AR9331	1x1	http://see.sl088.com/w/images/6/69/AR9331.pdf

TL-WR703N Reverse Engineering

The TL-WR703N has been teared down by Kean and almost completely reverse-engineered by Squonk, including external layers layout and schematic.

AR9331 Pinout

Check the details here.

GPIOs

The AR933x platform provides 30 GPIOs. Some of them are used by the router for status LEDs, buttons and other stuff. The table below shows the results of investigations:

GPIO	Available on WR703N	AR9331 Pin	POR Value	WR703N Name	Description	MR3020 Name
0	R4-E	A78	0		Must have 0 value during bootstrap*	WLAN LED/LED4
1	R2-S	A77	1		Must have 1 value during bootstrap
2	VIA	B49		SPI_CS_0	Used by SPI Flash	SPI_CS_0
3	VIA	B51		SPI_CLK	Used by SPI Flash	SPI_CLK
4	VIA	A57		SPI_MOSI	Used by SPI Flash	SPI_MOSI
5	R57-S/R60-S	B50		SPI_MISO	Used by SPI Flash	SPI_MISO
6	R16-S	B46		LDO	Connected to U6 LDO*	LDO
7	R15-S	A54	0		*
8	R18-E	A52		USB_POWER	Control USB Host Power	USB_POWER
9	R82-N	B68	1	TP_IN	UART RXD	TP_IN
10	C55-W	A79		TP_OUT	UART TXD	TP_OUT
11	R92-E	B48		RESET SW	Soft Reset Switch	WPS/RESET SW
12	VIA	A56	0		Must have 0 value during bootstrap
13	R3-S	B66	1		Must have 0 value during bootstrap
14	R11-N	A76	0		Must have 0 value during bootstrap*
15	R12-N	B65	0		Must have 0 value during bootstrap*
16	R13-N	A75	0		Must have 0 value during bootstrap
17	R14-N	B64	1			LAN LED/LED5
18	NC	A28	N/A			SLIDE SW1
19
20	NC	A27	N/A			SLIDE SW2
21
22
23
24
25
26
27	LED2-S/LED3-S	B44		LED2/LED3	Blue PCB LED	3G LED/LED3
28	VIA	A74	0		Must have 0 value during bootstrap
29	R17-S	A53	0

* on wr703n these can be floating (i.e. resistors removed) and the unit still boots

PCB details

You can get additional details on the PCB in the dedicated PCB Details Wiki page.

Boot log (OpenWrt)

U-Boot 1.1.4 (Aug 27 2011 - 10:39:39) > AP121-2MB (ar9330) U-boot > DRAM: 32 MB led turning on for 1s... id read 0x100000ff flash size 4194304, sector count = 64 Flash: 4 MB Using default environment > In: serial Out: serial Err: serial Net: ag7240_enet_initialize... No valid address in Flash. Using fixed address No valid address in Flash. Using fixed address : cfg1 0x5 cfg2 0x7114 eth0: 00:03:7f:09:0b:ad ag7240_phy_setup eth0 up : cfg1 0xf cfg2 0x7214 eth1: 00:03:7f:09:0b:ad athrs26_reg_init_lan ATHRS26: resetting s26 ATHRS26: s26 reset done ag7240_phy_setup eth1 up eth0, eth1 Autobooting in 1 seconds ## Booting image at 9f020000 ... Uncompressing Kernel Image ... OK > Starting kernel ... > Linux version 2.6.39.4 (juhosg@idared) (gcc version 4.5.4 20110808 (prerelease) (Linaro GCC 4.5-2011.08) ) #1 Tue Sep 20 14:44:37 CEST 2011 bootconsole [early0] enabled CPU revision is: 00019374 (MIPS 24Kc) SoC: Atheros AR9330 rev 1 Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: board=TL-WR703N console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd PID hash table entries: 128 (order: -3, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 29376k/32768k available (2009k kernel code, 3392k reserved, 386k data, 180k init, 0k highmem) SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 NR_IRQS:80 Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 512 NET: Registered protocol family 16 MIPS: machine is TP-LINK TL-WR703N v1 bio: create slab at 0 Switching to clocksource MIPS NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered UDP hash table entries: 256 (order: 0, 4096 bytes) UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) NET: Registered protocol family 1 squashfs: version 4.0 (2009/01/31) Phillip Lougher JFFS2 version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. msgmni has been set to 57 io scheduler noop registered io scheduler deadline registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11) is a AR933X UART console [ttyATH0] enabled, bootconsole disabled console [ttyATH0] enabled, bootconsole disabled Atheros AR71xx SPI Controller driver version 0.2.4 m25p80 spi0.0: found s25sl032a, expected m25p80 m25p80 spi0.0: s25sl032a (4096 Kbytes) Searching for RedBoot partition table in spi0.0 at offset 0x3e0000 Searching for RedBoot partition table in spi0.0 at offset 0x3f0000 No RedBoot partition table detected in spi0.0 spi0.0: no WRT160NL signature found Creating 5 MTD partitions on "spi0.0": 0x000000000000-0x000000020000 : "u-boot" 0x000000020000-0x000000120000 : "kernel" 0x000000120000-0x0000003f0000 : "rootfs" mtd: partition "rootfs" set to be root filesystem mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=150000 0x0000002a0000-0x0000003f0000 : "rootfs_data" 0x0000003f0000-0x000000400000 : "art" 0x000000020000-0x0000003f0000 : "firmware" ag71xx_mdio: probed eth0: Atheros AG71xx at 0xb9000000, irq 4 Atheros AR71xx hardware watchdog driver version 0.1.0 TCP westwood registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear All bugs added by David S. Miller VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 180k freed linput: gpio-keys-polled as /devices/platform/gpio-keys-polled/input/input0 Button Hotplug driver version 0.4.1 - preinit - Press the [f] key and hit [enter] to enter failsafe mode eth0: link up (100Mbps/Full duplex) - regular preinit - JFFS2 notice: (371) jffs2_build_xattr_subsystem: complete building xattr subsystem, 17 of xdatum (0 unchecked, 16 orphan) and 30 of xref (0 dead, 16 orphan) found. switching to jffs2 - init - > Please press Enter to activate this console. eth0: link down device eth0 entered promiscuous mode Compat-wireless backport release: compat-wireless-2011-08-25 Backport based on wireless-testing.git master-2011-09-14 cfg80211: Calling CRDA to update world regulatory domain eth0: link up (100Mbps/Full duplex) br-lan: port 1(eth0) entering forwarding state br-lan: port 1(eth0) entering forwarding state SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb cfg80211: World regulatory domain updated: cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2 cfg80211: Calling CRDA for country: US PPP generic driver version 2.4.2 ip_tables: (C) 2000-2006 Netfilter Core Team cfg80211: Regulatory domain changed to country: US cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm) cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm) cfg80211: (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm) NET: Registered protocol family 24 ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver ar71xx-ehci ar71xx-ehci: Atheros AR91xx built-in EHCI controller ar71xx-ehci ar71xx-ehci: new USB bus registered, assigned bus number 1 ar71xx-ehci ar71xx-ehci: irq 3, io mem 0x1b000000 ar71xx-ehci ar71xx-ehci: USB 2.0 started, EHCI 1.00 hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected nf_conntrack version 0.5.0 (461 buckets, 1844 max) usb 1-1: new high speed USB device number 2 using ar71xx-ehci ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Initializing USB Mass Storage driver... scsi0 : usb-storage 1-1:1.0 usbcore: registered new interface driver usb-storage USB Mass Storage support registered. scsi 0:0:0:0: Direct-Access Kingston DataTraveler 2.0 1.00 PQ: 0 ANSI: 2 sd 0:0:0:0: [sda] 7856128 512-byte logical blocks: (4.02 GB/3.74 GiB) sd 0:0:0:0: [sda] Write Protect is off sd 0:0:0:0: [sda] Assuming drive cache: write through sd 0:0:0:0: [sda] Assuming drive cache: write through sda: sda1 sd 0:0:0:0: [sda] Assuming drive cache: write through sd 0:0:0:0: [sda] Attached SCSI removable disk > > > BusyBox v1.18.5 (2011-09-17 19:36:07 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. > _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ATTITUDE ADJUSTMENT (bleeding edge, r28258) ---------- * 1/4 oz Vodka Pour all ingredients into mixing * 1/4 oz Gin tin with ice, strain into glass. * 1/4 oz Amaretto * 1/4 oz Triple sec * 1/4 oz Peach schnapps * 1/4 oz Sour mix * 1 splash Cranberry juice ----------------------------------------------------- root@OpenWrt:/# cat /proc/cpuinfo system type : Atheros AR9330 rev 1 machine : TP-LINK TL-WR703N v1 processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 265.42 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8] ASEs implemented : mips16 shadow register sets : 1 kscratch registers : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available > root@OpenWrt:/#

Boot log (Factory)

U-Boot 1.1.4 (Aug 27 2011 - 10:39:39) AP121-2MB (ar9330) U-boot DRAM: 32 MB led turning on for 1s... id read 0x100000ff flash size 4194304, sector count = 64 Flash: 4 MB Using default environment In: serial Out: serial Err: serial Net: ag7240_enet_initialize... No valid address in Flash. Using fixed address No valid address in Flash. Using fixed address : cfg1 0x5 cfg2 0x7114 eth0: 00:03:7f:09:0b:ad ag7240_phy_setup eth0 up : cfg1 0xf cfg2 0x7214 eth1: 00:03:7f:09:0b:ad athrs26_reg_init_lan ATHRS26: resetting s26 ATHRS26: s26 reset done ag7240_phy_setup eth1 up eth0, eth1 Autobooting in 1 seconds ## Booting image at 9f020000 ... Uncompressing Kernel Image ... OK Starting kernel ... Booting AR9330(Hornet)... Linux version 2.6.31--LSDK-9.2.0.312 (root@bogon) (gcc version 4.3.3 (GCC) ) #128 Fri Aug 26 14:58:53 CST 2011 flash_size passed from bootloader = 4 CPU revision is: 00019374 (MIPS 24Kc) Determined physical RAM map: memory: 02000000 @ 00000000 (usable) User-defined physical RAM map: memory: 02000000 @ 00000000 (usable) Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:128k(u-boot),1024k(kernel),2816(rootfs),64k(config),64k(ART) mem=32M PID hash table entries: 128 (order: 7, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 29864k/32768k available (1888k kernel code, 2904k reserved, 524k data, 116k init, 0k highmem) Hierarchical RCU implementation. NR_IRQS:128 plat_time_init: plat time init done Calibrating delay loop... 266.24 BogoMIPS (lpj=532480) Mount-cache hash table entries: 512 NET: Registered protocol family 16 ===== ar7240_platform_init: 0 Whoops! This kernel is for product wr703 v1.0! bio: create slab at 0 SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered NET: Registered protocol family 1 AR7240 GPIOC major 0 squashfs: version 4.0 (2009/01/31) Phillip Lougher NTFS driver 2.1.29 [Flags: R/O]. msgmni has been set to 58 alg: No test for lzma (lzma-generic) alg: No test for stdrng (krng) io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled ttyS0: detected caps 00000000 should be 00000100 serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A console [ttyS0] enabled PPP generic driver version 2.4.2 NET: Registered protocol family 24 cmdlinepart partition parsing not available set partition boot set partition kernel set partition rootfs set partition config set partition art set partition arching for RedBoot partition table 5 RedBoot partitions found on MTD device ar7240-nor0 Creating 5 MTD partitions on "ar7240-nor0": 0x000000000000-0x000000020000 : "boot" 0x000000020000-0x000000120000 : "kernel" 0x000000120000-0x0000003e0000 : "rootfs" 0x0000003e0000-0x0000003f0000 : "config" 0x0000003f0000-0x000000400000 : "art" ->Oops: flash id 0x10215 . ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Port Status 1c000004 ar7240-ehci ar7240-ehci.0: ATH EHCI ar7240-ehci ar7240-ehci.0: new USB bus registered, assigned bus number 1 ehci_reset Intialize USB CONTROLLER in host mode: 3 ehci_reset Port Status 1c000000 ar7240-ehci ar7240-ehci.0: irq 3, io mem 0x1b000000 ehci_reset Intialize USB CONTROLLER in host mode: 3 ehci_reset Port Status 1c000000 ar7240-ehci ar7240-ehci.0: USB 2.0 started, EHCI 1.00 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected TCP cubic registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear All bugs added by David S. Miller ar7240wdt_init: Registering WDT success VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 116k freed ====>slow_led_expire 621: here ===>slow_led_expire 625: off init started: BusyBox v1.01 (2011.04.01-07:49+0000) multi-call binary ====>slow_led_expire 621: here ===>slow_led_expire 636: on This Board use 2.6.31 xt_time: kernel timezone is -0000 nf_conntrack version 0.5.0 (512 buckets, 5120 max) ====>slow_led_expire 621: here ===>slow_led_expire 625: off ip_tables: (C) 2000-2006 Netfilter Core Team insmod: cannot open module `/lib/modules/2.6.31/kernel/iptable_raw.ko': No such file or directory ====>slow_led_expire 621: here ===>slow_led_expire 636: on insmod: cannot open module `/lib/modules/2.6.31/kernel/flashid.ko': No such file or directory PPPoL2TP kernel driver, V1.0 PPTP driver version 0.8.3 insmod: cannot open module `/lib/modules/2.6.31/kernel/harmony.ko': No such file or directory ====>slow_led_expire 621: here ===>slow_led_expire 625: off (none) mips #128 Fri Aug 26 14:58:53 CST 2011 (none) (none) login: Now flash open! Now flash open! ====>slow_led_expire 621: here ===>slow_led_expire 636: on ATHR_GMAC: Length per segment 1536 ATHR_GMAC: fifo cfg 3 01f00140 ATHR_GMAC: Mac address for unit 1:bf1f0006 ATHR_GMAC: 12:64:c3:58:67:a4 ATHR_GMAC: Max segments per packet : 1 ATHR_GMAC: Max tx descriptor count : 40 ATHR_GMAC: Max rx descriptor count : 96 ATHR_GMAC: Mac capability flags : 4D83 ATHR_GMAC: Mac address for unit 0:bf1f0000 ATHR_GMAC: 01:9c:b5:c8:b7:c9 ====>slow_led_expire 621: here ===>slow_led_expire 625: off ATHR_GMAC: Max segments per packet : 1 ATHR_GMAC: Max tx descriptor count : 40 ATHR_GMAC: Max rx descriptor count : 252 ATHR_GMAC: Mac capability flags : 4403 athr_gmac_ring_alloc Allocated 640 at 0x81e77800 athr_gmac_ring_alloc Allocated 4032 at 0x81d63000 Setting Drop CRC Errors, Pause Frames and Length Error frames Setting PHY...mac 0 ====>slow_led_expire 621: here ===>slow_led_expire 636: on ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on athr_gmac_ring_alloc Allocated 640 at 0x81e77400 athr_gmac_ring_alloc Allocated 1536 at 0x81f25000 ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on athr_gmac_mii_setup: MDC check failed Setting Drop CRC Errors, Pause Frames and Length Error frames ATHRS26: resetting s26 ATHRS26: s26 reset done Setting PHY...mac 1 ====>slow_led_expire 621: here ===>slow_led_expire 625: off device eth0 entered promiscuous mode Now flash open! ====>slow_led_expire 621: here ===>slow_led_expire 636: on ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ===>slow_led_expire 636: on nf_conntrack_rtsp v0.6.21 loading nf_nat_rtsp v0.6.21 loading ====>slow_led_expire 621: here ===>slow_led_expire 625: off asf: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint ====>slow_led_expire 621: here ===>slow_led_expire 636: on ath_hal: 0.9.17.1 (AR9380, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D) ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved ====>slow_led_expire 621: here ===>slow_led_expire 625: off ====>slow_led_expire 621: here ath_ahb: 9.2.0_U5.508 (Atheros/multi-bss) Boostrap clock 25MHz ar9300RadioAttach: Need analog access recipe!! Restoring Cal data from Flash ath_get_caps[4735] rx chainmask mismatch actual 1 sc_chainmak 0 ath_get_caps[4710] tx chainmask mismatch actual 1 sc_chainmak 0 wifi0: Atheros 9380: mem=0xb8100000, irq=2 wlan_vap_create : enter. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1 wlan_vap_create : exit. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1. VAP device ath0 created DES SSID SET=TP-LINK_620550 ieee80211_scan_unregister_event_handler: Failed to unregister evhandler=c0a048a0 arg=81fa8ac0 wlan_vap_delete : enter. vaphandle=0x80e60000 wlan_vap_delete : exit. vaphandle=0x80e60000 wlan_vap_create : enter. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1 wlan_vap_create : exit. devhandle=0x80c042c0, opmode=IEEE80211_M_HOSTAP, flags=0x1. VAP device ath0 created DES SSID SET=TP-LINK_620550 ieee80211_ioctl_siwmode: imr.ifm_active=393856, new mode=3, valid=1 WARNING: Fragmentation with HT mode NOT ALLOWED!! device ath0 entered promiscuous mode br0: port 2(ath0) entering forwarding state ieee80211_ioctl_siwmode: imr.ifm_active=1442432, new mode=3, valid=1 br0: port 2(ath0) entering disabled state DES SSID SET=TP-LINK_620550 br0: port 2(ath0) entering forwarding state

MTD

cat /proc/mtd

dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 000d9fa8 00010000 "kernel"
mtd2: 002f6058 00010000 "rootfs"
mtd3: 000f0000 00010000 "rootfs_data"
mtd4: 00010000 00010000 "art"
mtd5: 003d0000 00010000 "firmware"

USB port and monitoring Serial Console via USB-Serial

The USB port on the WR703n is not compatible with USB1 devices (aka full speed) and only works properly with USB2 (aka high speed) devices. You can however plug a USB-Serial adapter as long as you plug that through a <$10 USB2. While you're at it, use another USB port to plug in a USB key and write data there (like serial console logs) so as not to wear out the built in flash.

See this page for more tips and how to create a serial console server out of your WR703n: http://marc.merlins.org/perso/linux/post_2012-12-05_Serial-Console-With-WR703N.html

GPS Tracking Example

Here is a recipe for gps tracking using a usb gps module. https://forum.openwrt.org/viewtopic.php?pid=185438

Software Mods

DIY Projects

Hardware Mods

as a beginner, you really should inform yourself about soldering in general and then even obtain some experience!

Here are some interesting hardware hacks for the TL-WR703N, from the OpenWRT forum:

Internal USB hub and flashdrive upgrade
Converting MicroB USB to USB2serial+Power on TP-WR703N
TL-MR3420 flash modification (also applies to TL-WR703N)
The modification of openwrt for a 16M binary after a 16M flash modification of the WR703N
Building an external Serial Port (using common 3.5mm headphone jack)
POE (Power Over Ethernet) RJ45 and on the forum and on wlan-si web site
POE and USB to serial mod
Adding an LCD screen terminal for TP-Link routers
Solder inside ttl for TL-WR703N (Youtube video)
GPIO hack that gives you access to a software I2C port
Let's Get More,Make WR703 With 16M Flash
Allow a larger WR703 firmware image to utilize a 16 MB Flash

*Access serial communication on a mini router (no extra connector)

Antenna mods

Webradio device

This project implements a webradio with cheep usb soundcard and a speaker of an old mobile phone within the casing of the router. There are two analogue controllers for selecting the stream and the volume. Therefor an attiny85 is connected to the uart.

Building a tiny webradio with analog volume and tune controller

64MB RAM Mod

The Device uses a DDR1 16Mbit x 16bit (16Mibit*16=256 mebibit. 256 mebibit/8=32MiByte) 400MHz chip Zentel A3S56D40FTP. Replace it with any 32Mbit x 16bit chip. 333MHz instead of 400MHz also works fine. It's quite hard to find these chips. One of the ways to get them is to have a look at DDR SO-DIMM (because SO-DIMM modules are shipped with x16 chips). Since there are no 64Mbit x 16bit DDR1 Chips available → no 128 MB mod!

The most easy approach is to seek for a 4-chip DDR 256 MB module. These all have x16 chips too. Chips only on one side (not to be confused with double-sided 256 MB modules with 4 chips on each side) and only 4 of them - that's the best chance to get some. They represent a small percent among usual 8-chip modules but this is equalized with the amount and "cheap as dirt" price of such DDR 256 MB modules.

Working chips:

Hynix HY5DU121622DTP-D43 (From Mustang DDR SO-DIMM 512 MB)
Hynix HY5DU121622CTP-D43 (From Hynix DDR SO-DIMM PC2700S-25330 512MB DDR 333MHz CL 2.5, chips are 400Mhz compatible due to "D43" marking.)
Infineon HYB25D512160BE (From Infineon DDR SO-DIMM 512 MB)
Elpida EDD5116ADTA-6B-E (From Elpida DDR SO-DIMM 512 MB)

Additional list that may work:

		Type	ID Code	Vendor
DDR	32Mx16	DDR 400 TSOP Pb Free	HY5DU121622DTP-D43-C	Hynix
DDR	32Mx16	DDR 400 TSOP Pb Free	H5DU5162ETR-E3C	Hynix
DDR	32Mx16	DDR 400 Pb Free	K4H511638G-LCCC	Samsung
DDR	32Mx16	DDR 400 Pb Free	K4H511638J-LCCC	Samsung
DDR	32Mx16	DDR 400	A3S12D40ETP-G5	Zentel
DDR	32Mx16	DDR 400	NT5DS32M16BS-5T	Nanya
DDR	32Mx16	DDR 400 PB Free	P3S12D40ETP-GUTT	Mira
DDR	32Mx16	DDR 333 CL2.5 TSOP	MT46V32M16TG-6T:F	Micron
DDR	32Mx16	DDR 333 CL2.5 TSOP	MT46V32M16P-6T:F	Micron
DDR	32Mx16	DDR 333 PB Free TSOP	HYB25D512160CE-6	Qimonda
DDR	32Mx16	DDR 333 PB Free TSOP	HYB25D512160CEL-6	Qimonda
DDR	32Mx16	DDR 333 PB Free TSOP	HYB25D512160DE-6	Qimonda

By default router able to see all 64MB.

root@OpenWrt:~# free
             total         used         free       shared      buffers
Mem:         61864        48044        13820            0        30316

MiniPwner Home

The MiniPwner's key features include:

Integrated Wired and Wireless connections Once plugged into a target network, the Mini-Pwner can establish an SSH tunnel through the target network, or can be accessed by wifi. In addition, the MiniPwner can be configured as a wifi sniffer and logger - wardriving in your pocket.

Low power consumption, can be run off battery. With the 1700 mAh battery included in the kit, the Mini-Pwner will run for over five hours of active wired and wireless activity. No need to find a power outlet during the pen test.

Multiple Pen Testing Tools included tcpdump, nmap, kismet, all come pre-installed

Flexible and Expandable The MiniPwner runs on the open source OpenWrt operating system. You can easily add or change the installed packages.

Small size The MiniPwner can be easily carried in a pocket, hidden behind a telephone, or hang from a jack by a short ethernet cable.

There are many other creative ways to use the MiniPwner. Here is a list of some of the software that comes installed:

Nmap network scanner
Tcpdump sniffer
Netcat Hacker’s swiss army knife
aircrack Wireless network analysis
kismet Wireless network analysis
perl Perl Scripting Language
openvpn VPN Client and Server
dsniff suite of sniffing and spoofing tools, including arpspoof
nbtscan NetBIOS Network Scanner
snort Sniffer, Packet Logger, Intrusion Detection System
karma Wireless Sniffing Tool - not working yet….
samba2-client Windows File Sharing Client
elinks Text Based Web Browser
yafc FTP Client
openssh-sftp-client Secure File Transfer Client

Web - http://www.minipwner.com/

WR703N Expander board and case

Kean Electronics in conjunction with the Sydney Hackerspace has developed WR703N Expander board as Open Hardware, all schematics are available online on their website - http://www.kean.com.au/oshw/WR703N/

Connector Info

The upstream USB connection is intended to come via a 4 pin header plugged into the WR703N PCB below (existing USB connector removed).
You can also populate a mini-B connector for connection to any upstream USB host via a
You can populate up to 3 USB A female connectors, or use 0.1" headers/connectors to mount USB connectors
USB1 and USB2 are intended to be standard right angle connectors, but will also take vertical style.
USB2 is recessed - partly to make the PCB able to be mounted very low on top of the WR703N PCB, but it also makes it suitable for very small USB drives (Sandisk Cruzer Fit).
USB3 can be a right angle or more usually a vertical connector. Or left off completely.
If a right angle connector is used for USB3, you can't easily use PORTB (and you should probably put some insulating tape over the PORTB pads).
The PORTA and PORTB headers are similar to the common SparkFun FTDI connector, although they include RTS instead of DTR.
The GPIO connector is intended to be a standard 2x5 box header.
See the schematic for pin outs of the GPIO and serial ports. Due to space restrictions, the extra 8 GPIO's from PORTB are not routed out.

OpenWrt

Wiki Search

Actions

Donate

Translations