OpenWrt Forum Archive

Topic: TL-WR941ND V3.2 Partially Bricked.... can it be saved???

The content of this topic has been archived on 25 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi as tittle says I have and TP-LINK TL-WR941ND V3.2 wich I flashed with OpenWrt Kamikaze Trunk. So far the router boots and I'm able to telnet into de router (and SSH after changing root password) an execute commands like mtd, uci, etc....

The problem is that I can access to the web interface!!!!

To make things short:
I used Ubuntu 9.10 32Bits Virtual machine (VBox based) as build environment and using following command to check out source

svn checkout svn://svn.openwrt.org/openwrt/trunk

then I did "make menuconfig" and set following

Target System ---> AR71XX
Target Platform ---> TL-WR941NDV2

I also changed OpenWrt´s default Lan IP to 192.168.0.254 (accordly to my Lan configuratio) and then exit saving changes... then I built the firmware typing "make", no errors so far so I flashed my router through manufacturer web interface using the generated openwrt-ar71xx-squashfs-universal.bin(or something like that).

Doing some research through router filesystem i found that /www folder is empty so I tried to install both LUCI (first) and webif to ram but both fails even using "-d ram" switch fo opkg and setting option overlay_root  to /tmp (instead of /jffs)...

My main Problem is that I'm stuck right now cause I even tried to reflash a newly compiled openwrt with webif installed but flashing just won't take any effect

Using mtd -e firmware write openwrt.trx firmware doesn't through any error but after rebooting the firmware is exactly the same as before reflasing, i also noticed that any change I made to config (even root password) is lost after rebooting the router....

as a last resource I´ve tried to return to manufacturer firmware but i get the following error:

Writing from wr941nv2.trx to firmware ..... [e]Failed to erase block

I´ve also tried flashing the bin provided by the manufacturer but got same error.... so i'm starting to get desperated

Sorry for the long post

No body has a clue???

I found this https://dev.openwrt.org/browser/trunk/t … -wr941nd.c

static struct mtd_partition tl_wr941nd_partitions[] = {
34            {
35                    .name           = "u-boot",
36                    .offset         = 0,
37                    .size           = 0x020000,
38                    .mask_flags     = MTD_WRITEABLE,
39            } , {
40                    .name           = "kernel",
41                    .offset         = 0x020000,
42                    .size           = 0x140000,
43            } , {
44                    .name           = "rootfs",
45                    .offset         = 0x160000,
46                    .size           = 0x290000,
47            } , {
48                    .name           = "art",
49                    .offset         = 0x3f0000,
50                    .size           = 0x010000,
51                    .mask_flags     = MTD_WRITEABLE,
52            } , {
53                    .name           = "firmware",
54                    .offset         = 0x020000,
55                    .size           = 0x3d0000,
56            }
57    };

the firmware partition doesn't have the MTD_WRITEABLE flag! Does this means that is not writable through mtd???

I'm still figthing....

Right know I switched to to serial port but still unable to flash anything on my router... even using U-Boot. BTW my router PCB revision is 1.2 and it appears that TP-Link rearranged the components a bit and removed the JTAG´s Conector pins.

Anyway this is driving me crazy.... my last attempt was to erase the flash from where U-Boot is loading the image and although all opérations completed without error.... my router stills loading OpenWRT!!!!

This is what I did:

1.- Firt using an HEX editor I removed the Header+U-Boot part from the original firmware (I read this from another user that stated that TP-LINK firmware is composed by Header+U-Boot+HEader+Firmware... I've opened the original firmware and this is rigth)

the Header+firmware part starts at 0x202000 so I removed all from 0x0 to 0x201FF

2.- I loaded the resultant firmware using tftp to address 0x80800000... and then:

ar7100> tftp 0x80800000
set link to 100M full by lqm.
dup 1 speed 100
*** Warning: no boot file name; using '0A01A8C0.img'
Using eth0 device
TFTP from server 192.168.1.169; our IP address is 192.168.1.10
Filename '0A01A8C0.img'.
Load address: 0x80800000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ######################################################
done
Bytes transferred = 3932160 (3c0000 hex)
ar7100> protect off 0xbf020000 +0x3c0000
Un-Protected 60 sectors
ar7100> erase 0xbf020000 +0x3c0000

First 0x2 last 0x3d sector size 0x10000                                       61
Erased 60 sectors
ar7100> cp.b 0x80800000 0xbf020000 0x3c0000
Copy to Flash... write addr: bf020000
done
ar7100> reset

AND THE FLASH WAS NOT MODIFIED!!!!!!

I even went mad and tried this:

ar7100> protect off 0xbf020000 +0x3c0000
Un-Protected 60 sectors
ar7100> erase 0xbf020000 +0x3c0000

First 0x2 last 0x3d sector size 0x10000                                       61
Erased 60 sectors
ar7100> reset

Resetting...

NO LUCK!!!!!!!!!!!!!

I'm still hoping that I'm doing something wrong but the idea that the FLASh is write protected or need something special to be flashed... something that is programmed on TP-Link Web Interface

HELPPPPPPPPPPPPPPPP

Same here, with the 3.2, cannot flash anything on it after change to openwrt, may be jtag is out last hope.
got a 1043nd which I can write to the flash, so there may be something different with the 3.2

Well I was able to find Intel's S33 Flash Memory datasheet (my router has an 320S33B)

http://www.silica.com/fileadmin/02_Prod … telS33.pdf

It appears that this memories has a combined register/hardware protection mode that can be used to protect some sectors of the memory:

from 64 to 127 on 64M Chips
From 32 to 67 on 32M Chips
From 16 to 31 on 16M Chips

Additionally these chips has some separated sector that are OTP (One-Time Programming)

You are right, so far the only way i can think to recover our routers is to flash directly to memory, but unfortunately I was unable to find that JTAG conector, in fact I´m thinking it was removed from this revision...

Anyway my skills on electronics are limited but I think I can use an 18F2550/4550 to gain access to the memory through SPI Bus, the idea is to check an disable (where possible) write protection by driving pin 9 (W#) to high, then playing with SRWD and BP bits to see if we are able to write through normal MTD

(Last edited by fzfq3m on 21 Dec 2009, 15:32)

Hello All,
I have the same exact problem with my TP-Link WR941 Ver.3.2....PCB Revision is 1.2 with no JTAG.
At the moment I will go through the datasheet for the flash chip.....so as to see if i can manually bridge the WP pins.
Any help from your side will be greatly appreciated.
Thanks and Regards,
Edward Scerri

Same here. My model is TP-Link TL-WR941ND v.3.2.

Cannot reflash, mtd shows no error but after reboot everything is the same. Changes in jffs are ignored between reboots and opkg segfaults when trying to install luci.

It has to be something with flash write but this is far beyond my poor electronics knowledge.

I am completely stuck. Any help is greatly appreciated.

I think the way to go is to pull out the flash IC, re-program it via an external programmer and put it back in again.....

I've seen this problem with other revisions of the wr941nd, but as far as I can tell it seems to be a problem that only affects some units. I know it sounds strange but I have flashed openwrt on a lot of these and about 10-15% seem to have the problem. Also, looking at the MACs of the units that have the problem it seems some MAC-ranges are more prone to this than others.

A strange problem I must say... Could it be some bridge somewhere that is not correctly closed/open on some units? The very strange part is that the initial openwrt flash always works! It's after flashing openwrt that the flash is somehow frozen... Could it be something in the openwrt flash image? Maybe a combination of the two?

As Far I can tell my router's flash memory doesn´t have hardware Write Protection enabled because W# pin (PIN 9) is driven high on normal boot... and according datasheet this pin needs to be LOW in order to enable that feature... I only need to check the status register to see if the chip is Software Write Protected by default... so I will need to use some In-Circuit SPI interface to gain direct access to the chip

I´m still waiting for an PIC18F4550 that I've ordered, my idea is to check and modify these register to allow programming... or in the worse case to try to program the memory directly using the PIC...

One thing tha makes me worry is that these chips appears to have an OTP (One Time Programming) memory section... I hope it wasn´t used.

This commit seems to solve the problem for me: https://dev.openwrt.org/changeset/19114 Thanx Gabor!

With serial access it should be simple to tftp-boot a fixed kernel and replace the flash. But can it be done from Linux without serial? I have quite a lot of soldering to do otherwise...

I'm thinking a kernel module that basically does the equivalent of that if-statement in the patch and then replaces the flash. Is that the best way?

hello _bbb_,

Can you explain to us (linux newbies) in more detail what it takes to get the wr941, with the flash issue fixed? I followed the link you pasted.....but arrived nowhere....I'm quite lost.

Thanks in advance for your help,
Edward

I don't know if it is posible to build such a module but my guess is that we might be able to transfer the patched trunk kernel to the device and switch to it using kexec. Then use mtd to flash the new image.

The idea came from this thread:
https://forum.openwrt.org/viewtopic.php?id=14163

Regards

will this really? as we can't replace the firmware even in u-boot.

_bbb_

unless I'm misunderstanding!!! what you are trying to say is that the problem was corrected in lattest svn trunk!!! and what we need to do is:

1.- Compile from lattest svn
2.- Get into U-Boot using serial console
3.- From U-Boot load and boot the generated image by using tftpboot
4.- If the image boots successfully then try to flash (from the booted image) using MTD...

I've tried this before but I'm unable to get U-Boot to temprally boot my compiled image... I always get kernel panic error or something about the image not being compressed with righ format!!

Anyway, I think this worth a try while I keep waiting for my FTDI USB interface to arrive... so I'm compiling right now.
By the way wich options sould i set for compiling a tftpboot compatible image??

Should I set target image to ramdisk with LZMA compression or should i set target image to jffs2+squashfs+tgz??

regards

(Last edited by fzfq3m on 14 Jan 2010, 18:50)

fzfq3m,
What I'm using as a USB interface is a mobile phone data cable......
since router voltage is 3.3V, I left the router TXD line intact as 3.3V will be recognised as a 5V logic one
on the TX side, I have done a potential divider, so that the 5V signal will be level translated to 3.3V or in the whereabouts.
Edward

FYI,

I've just built latest trunk from svn and sent kexec binary, zlib and kernel to the router.

root@OpenWrt:/tmp/kexec/# ./kexec -l vmlinux.elf  --command-line="rootfstype=squashfs,yaffs,jffs2 noinitrd console=ttyS0,115200 board=TL-WR941ND"
kexec_load failed: Function not implemented
entry       = 0x64550 flags = 0
nr_segments = 2
segment[0].buf   = 0x2ab86008
segment[0].bufsz = 272200
segment[0].mem   = 0x60000
segment[0].memsz = 28c000
segment[1].buf   = 0x423130
segment[1].bufsz = 100
segment[1].mem   = 0x2ec000
segment[1].memsz = 1000

It seems that kexec is not very well implemented in the kernel installed in my router. I've been googling a while and found that kexec is a wip for MIPS platform. So we'll have to try tftpboot.

I've tried to open the router case but after taking out the two screws I am unable to take out the front black plastic panel. I'd rather not break it. How did you open it?

Thank you!

orodriguez wrote:

FYI,

I've just built latest trunk from svn and sent kexec binary, zlib and kernel to the router.

root@OpenWrt:/tmp/kexec/# ./kexec -l vmlinux.elf  --command-line="rootfstype=squashfs,yaffs,jffs2 noinitrd console=ttyS0,115200 board=TL-WR941ND"
kexec_load failed: Function not implemented
entry       = 0x64550 flags = 0
nr_segments = 2
segment[0].buf   = 0x2ab86008
segment[0].bufsz = 272200
segment[0].mem   = 0x60000
segment[0].memsz = 28c000
segment[1].buf   = 0x423130
segment[1].bufsz = 100
segment[1].mem   = 0x2ec000
segment[1].memsz = 1000

It seems that kexec is not very well implemented in the kernel installed in my router. I've been googling a while and found that kexec is a wip for MIPS platform. So we'll have to try tftpboot.

I've tried to open the router case but after taking out the two screws I am unable to take out the front black plastic panel. I'd rather not break it. How did you open it?

Thank you!

lift the upper case a little, you will see there are 2 big lock next to that plastic panel, it a little bit tricky.

fzfq3m wrote:

_bbb_

unless I'm misunderstanding!!! what you are trying to say is that the problem was corrected in lattest svn trunk!!! and what we need to do is:

1.- Compile from lattest svn
2.- Get into U-Boot using serial console
3.- From U-Boot load and boot the generated image by using tftpboot
4.- If the image boots successfully then try to flash (from the booted image) using MTD...

I've tried this before but I'm unable to get U-Boot to temprally boot my compiled image... I always get kernel panic error or something about the image not being compressed with righ format!!

Anyway, I think this worth a try while I keep waiting for my FTDI USB interface to arrive... so I'm compiling right now.
By the way wich options sould i set for compiling a tftpboot compatible image??

Should I set target image to ramdisk with LZMA compression or should i set target image to jffs2+squashfs+tgz??

regards

should be ramdisk with LZMA

for WNDR3700, it need to fix the image header otherwise u-boot won't load it.
https://forum.openwrt.org/viewtopic.php … 75#p100275

(Last edited by DummyPLUG on 15 Jan 2010, 00:59)

orodriguez, you don't need to remove black front panel... instead you need to remove top cover instead.
After you remove the screws you need to separate a bit the top and bottom covers (in the back side) and then you need to pull out that black "U" form that have the antenna port attached... do it gently and don´t pull it out to far from the case because the antenna pigtails are soldered directly to pcb... after that you should now have access to two detents that are one each side of front panel (inside)... use a small flathead screwdriver two open those detents... you need to manage to keep then open because there´s a three more detents that you need to open in order to completely remove the top cover...

The remaining detents are smaller ones and they are located in the upper part of the black front panel, you can use same small flathead screwdriver between the top cover and the black front panel (above the "1" Led that indicate Port One) to separate them... after that, if all went fine, you shuold have easy access to your router´s inside.


DummyPLUG thanks for the advice... I'm having some trouble compiling lattest trunk after doing "svn up" so I'm downloading a fresh copy right now

Alright, I compiled a fresh kamikaze trunk r19223 (no svn up) with following parameters:
Target System (Atheros AR71xx/AR7240/AR913x)
Target Profile (TP-LINK TL-WR941ND v2)
Target Images ---> ramdisk compression (LZMA)

after saving menuconfig and executed make download it generates the following files in bin/ar71xx
openwrt-ar71xx-vmlinux-initramfs.elf (4.009KB)
openwrt-ar71xx-vmlinux-initramfs.bin (3.969KB)
openwrt-ar71xx-vmlinux-initramfs.gz (2.624KB)
openwrt-ar71xx-uImage-gzip.bin (2.568KB)
openwrt-ar71xx-vmlinux-initramfs.lzma (2.304KB)
openwrt-ar71xx-uImage-lzma.bin (2.273KB)

I copied these 6 files into my tftp server root directory plus the original firmware without header+u-boot part (removed with dd if=tlwr941ndv2.bin of=original.bin skip=131584 bs=1)

Not matter what file I use, I always get error booting from U-Boot

If I try to boot the following images:
openwrt-ar71xx-vmlinux-initramfs.elf ------> (iminfo returns "Bad Magic Number")
openwrt-ar71xx-vmlinux-initramfs.bin------> (iminfo returns "Bad Magic Number")
openwrt-ar71xx-vmlinux-initramfs.gz  -----> (iminfo returns "Bad Magic Number")
openwrt-ar71xx-uImage-gzip.bin ----------> (iminfo returns this: http://pastebin.com/me1b90d0)
openwrt-ar71xx-uImage-lzma.bin ---------> (iminfo returns this: http://pastebin.com/d606dec8f)
openwrt-ar71xx-vmlinux-initramfs.lzma --> (iminfo returns "Bad Magic Number")

then i get: "Booting image at 81000000 ... Uncompressing Kernel Image ... Error: Bad gzipped data" when issuing bootm

I also tried to boot the original firmware from tp-link (without the header+u-boot part as i mentioned before), and although iminfo also returns "Bad Magic Number", the kernel starts to run but after a while it throws a "Kernel Panic"... check out ------> http://pastebin.com/d27471572

As a last resource I compiled again but setting target image to squashfs, but when running openwrt-ar71xx-tl-wr941nd-vs-squashfs-universal.bin (iminfo returns "Bad Magic Number" ) i also got a kernel panic.... checkout ------> http://pastebin.com/d325fb35

What am I doing wrong??? I've tried to boot lattest openwrt trunk from my router memory but no luck so far....

I figured out what I did wrong... the firmware I flashed into my tl-wr941nd had ipv6 enabled and I didn't include ipv6 in my last compilation... last night I conpiled with ipv6 enabled and the resultant firmware booted from uboot without problem... I was able to erase the "firmware" partition usinf mtd...

Great mtd is working now.. but unfortunatelly I made another mistake (agaaaaainn)... I compiled with target set, so I turned off my router and compiled openwrt again but with normal squashfs as target... but the router refuses to boot the previously image that I used (ramdisk one)...

so I'm stuck with a router witout firmware (just with u-boot).... anyway, I just need to boot a minnmial openwrt to be able to restore the firmware through mtd..

I'll keep you posted

Crap... I'm having trouble booting Openwrt ramdisk images... I'm getting Bad gzipped data when using lzma and gzip uImages,.. and kernel panic when using the squashfs-universal binary....

I'm a bit lost an at this point...

The discussion might have continued from here.