OpenWrt Forum Archive

Topic: TP-LINK WR702n (how to modify firmware from chinese to english ?)

The content of this topic has been archived between 25 Mar 2018 and 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi, I know this isnt related to openwrt, and that the wr702n will not run it due to flash/ram size, but the one i purchased off ebay has chinese menus.
Is there a way to modify the flash image file (bin) or connect to the router and modify the html files directly ?

I have downloaded the english firmware for the model, however it wont flash to the router, i get the error:

Error code: 18005
Upload the file version does not match with the models.

Any suggestions/help would be much appreciated.

(Last edited by tahunasky on 14 Dec 2012, 21:57)

It is NOT modify menus !!
It is change firmware, or change firmware language......!

Are you sure yours is wr702n ?
Are you sure you have downloaded correct file ?

Official English version firmware of wr702n:
http://www.tp-link.com/Resources/softwa … 120530.zip

Yes it is the WR702n (Ver 1.0).

I sent an email to TP-LINK and their support said:
"the one that is only sold in China mainland. There is only Chinese firmware version for it."

I did try the firmware you listed, however I always get the error:

Error code: 18005
Upload the file version does not match with the models

The latest chinese version of firmware flashed without problems - which i got from here:

http://www.tp-link.com.cn/pages/downloa … .asp?d=789

So I am guessing there is something in the file header which is telling it not to flash the english version.

Does anyone know what i can do to either flash the english version of modify the chinese firmware ?

Yes, it will check the firmware file header to ensure user won't cross flash.

Could you take a photo of your device label for investigate ?

Here is an images of the info on back of wr702n wifi router i have.

WR702n

Do you know if it is possible to change the header info in the file, or modify the firmware BIN file, or how to login to the router to change the html menu code ?

Maybe a hi res pic of the board should be useful to compare it to the english version.. Open that case! ;-)

Here is a pic of PCB:

WR702n PCB

Thank you tahunasky!

I can say that the TL-WR702N PCB is exactly like the TL-WR703N with the following differences:

  • the 16Mbit x 16bit 400MHz chip Zentel A3S56D40FTP DDR1 SDRAM U2 chip providing 32MB is replaced by a Zentel A3S28D40FTP 8Mbit x 16bit 400MHz chip Zentel A3S56D40FTP DDR1 SDRAM chip providing only 16MB

  • it is difficult to tell from the picture, but U3, a Spansion S25FL032P 32Mbit 104-MHz SPI Flash memory providing 4MB is probably replaced by an Eon EN25B16 16Mbit 104-MHz SPI Flash memory providing only 2MB

  • the USB2 connector is not mounted, as well as all USB-related components: C113, C115, D1, R10, R101/R102/R103/R104 on top side and D2 and U6 the USB power switch on bottom side

  • otherwise, the PCB is Version 1.1, exactly like the TL-WR703N and is thus not RoHS/CE/FCC compliant

I suspect that the TLWR702N sold for export outside China has a different PCB which is RoHS/CE/FCC compliant, otherwise TP-Link would not be able to sell it.

Here is a slightly better pic of the flash chip.

SP1 Flash


So back to the original quection, is it possible to flash the english version of the firmware, and if not, is there a way to change the menus to english in the chinese firmware ?

Thank you!

I read:

cFeon
QH16-104HrP
       123M01A7
       1226TDA

It is definitely an Eon SPI Flash, but I can't get a matching datasheet. From the "16", I guess this is a 16Mbit, and "104" is for 104MHz parts. The closest match is the EN25Q16A.

Back to your question, the firmware file contains a header that specifies the particular model of router to which the file is to be used for.

Here is the header for the Chinese firmware:

00000000: 0014 2fc0 135b 21e4 8ac8 bea9 9eff dd28  ../..[!........(
00000010: 3bf0 9abb 494d 4730 0014 b200 0702 0001  ;...IMG0........
00000020: 0000 0001 5a04 1234 0000 0000 0000 0000  ....Z..4........
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0080 000f 607f 000f 6100  ..........`...a.
00000060: 0005 3bf0 0014 9cf0 0000 1510 0000 0000  ..;.............
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 6e00 0080 0010 df38 0000 0000  ....n......8....
000000a0: 0000 1e01 fe00 0233 c6b8 50f0 8dd9 97a8  .......3..P.....
000000b0: 7e3b 0093 bcba 61de 7c0e 133e e75e aadc  ~;....a.|..>.^..
000000c0: 9af0 84d1 ea6d ef21 2739 46a3 19bb 952c  .....m.!'9F....,
000000d0: 55d5 7d3d 062b ddca 88e6 88ba 058b e990  U.}=.+..........

And here is the one for the English firmware:

00000000: 0014 2fc0 e686 2600 bf87 5396 58ce b6ee  ../...&...S.X...
00000010: df5d 19df 494d 4730 0013 4c10 0702 1101  .]..IMG0..L.....
00000020: 0000 0001 5a04 1253 0000 0000 0000 0000  ....Z..S........
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0080 000e bfca 000e c050  ...............P
00000060: 0004 7670 0013 36c0 0000 1548 0000 0000  ..vp..6....H....
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 6e00 0080 0080 9d36 0000 0000  ....n......6....
000000a0: 0000 1e01 fe00 0233 c6b8 50f0 8dd9 97a8  .......3..P.....
000000b0: 7e3b 0093 bcba 61de 7c0e 133e e75e aadc  ~;....a.|..>.^..
000000c0: 9af0 84d1 ea6d ef21 2739 46a3 19bb 952c  .....m.!'9F....,
000000d0: 55d5 7d3d 062b ddca 88e6 88ba 058b e990  U.}=.+..........

I don't know the exact header format, but at offset 0x00000014, you get "494d 4730" in both files, which translate to "IMG0" in ASCII for both firmwares.

Then you have a value "0014 b200" and "0013 4C10" at offset 0x00000018 which match the total file length of the respective firmware file.

At offset 0x0000001c, you have a value "0702" for both firmware, probably for "TL-WR702N"...

Then the most interesting field is at offset 0x0000001e: it contains the value "0001" for the Chinese firmware, and "1101" for the English firmware: this is probably the revision number, which is different between the firmwares. This value will have to be changed, but unfortunately, there are some MD5 sum protecting the header against corruption and manual changes wink

I don't know how these md5sum are computed, so I can't patch the firmware file to match your hardware.

There is a similar thread on the TL-MR11U/TL-MR3040 and TL-WR703N Chinese/English containing a Windows utility to patch the file and compute the MD5 accordingly, but unfortunately, it doesn't work for the TL-WR702N files sad
https://forum.openwrt.org/viewtopic.php … 45#p168045

Maybe someone can help with this?

EDIT: the "IMG0" string seems to indicate that it is a VxWorks firmware

(Last edited by Squonk on 15 Dec 2012, 11:04)

Squonk: Thanks for all the info.

Do you know (or anyone else) if there is a way to get to the prompt on the router, and then maybe dump the english firmware on that way ?

You can start by connecting a ttl serial adapter and post the full bootlog..

Pinout should be the same of wr703n..

I know this is an older thread, but I recently bought a WR702n thinking it was a 703 and too small a cost to not play with it. Don't see the option to browse for an update in the Chinese menu, and don't know if it is traditional or simplified Chinese--they say you can update the traditional menued 702 with english versions, so I'm guessing simplified box.
I took apart the latest english version v3 file, extracted the lzma compressed main code and found the string sent out the serial port when the md5 sum is not correct. Looking at the code around that area I found the 0x10 bytes of md5 copied from the 0x4 position of the file header then that space is overwritten with CC 96 28 EE 8D FB 21 BB 3D EF 6C B5 9F 77 4C 07 (hum, that last number looks wrong, but the first four should find the correct sequence). There is a routine that , skipping the first byte, looks for 0x00 value and adds 2 to the location found and subtracts that from the value in the first word of the header--that seems to be number of bytes the md5 covers--looks to me that would be 0x142fc0-0x23 bytes. Now, it gets harder and I haven't figured it all out. Looks like md5 is computed and stored, but then a second routine is called and it does some calls to the md5 routine too--two times, with some other stuff done as well. Might need to emulate the code or run it on some other mips based device to see what is really happening. Whatever that extra stuff is, once it is all done there is just a mem compare step and based on that result either error message sent out serial port or header removed and file written to flash.

Ah. Finally managed to reproduce an md5 for the english update files. You overwrite the existing md5 with that constant string shown above (0x7c for the last byte not 0x07) and then compute the md5 for the entire file. I can find the same string in the main sw part of the "stock" file, so I'm guessing that the stock 2M dump was from a traditional Chinese box (and the main sw in the stock file is the same as the main sw in the last posted english file). Still haven't tried to TFTP a file to my box. And haven't been able to find the spot to download chinese updates for the box--the old links don't seem to get you there.

Now that the md5 is figured out, seems time to look at how to mod to have box in english. I downloaded the standard chinese ch_up files and found that the sw in my box was the middle of the three from 5/2012. As there was an update and the download included a windows no-install tftp program I gave it a try and upgraded the box to the 11/2012 file--didn't know what I was doing but it happened OK.

Looking at the files cn_up vs en_up, I see much the same in the header as pointed out earlier in the thread. It looks like the later files for both en and cn break down into 4 parts--the first 0x6830 bytes or so seems to be pure code for boot; from 0x6830 to 0x40000 is what I've been calling the main code (lzma compressed, expands to about 680kbyte and is the same on both cn and en most recent files--byte compare finds no diff), from 0x40000 to roughly 0x130000 (search out the ascii string "owow" for end, "IMG0" for start roughly) is another section of lzma compressed code and data that expands to about 3.5MByte and there is a header to it that differes as pointed out in prev header info, last section is the files section--largely html files all lzma compressed individually with a table to tell you the file name, offset to start and length compressed. I built a little qbasic code to pull the files out and shell to lzma decompress util to get them all out where I could see them. About 180 files total in the english "stock" software flash dump that was posted and about 280 in the latest chinese file--seems to be roughly broken down into help files and screen forms with a few java and gif. The newer files in the cn file seemed to give one the ability to log into 702 with phone--maybe 25 files for that, but lots of others.

So, I think we could upload an english file to the box with two changes to the header and to the secondary info at 0x40000 and with md5 fixed up. OR, we could go in and change the html files--there really isn't much to change in each as there is mostly the html code in english with a few lines of stuff for the screen and often the html code tells you what should be in there. I extracted the english file as well as the chinese, so it could be pretty quick to mod most of the files with maybe a few days getting google to translate the others. The latest cn file seems to be about as large as could fit in the flash with what else has to be in the 2M space, so the re-compress and re-fit would have to work out, but you would end up with a box that still upgrades through TFTP and has more features than the latest en file--might be worth it.

OK! The basic idea worked. I modified three files--str_menu.js str_error.js and the popupSiteSurvey.htm so that they contained info in english where needed, recompressed (lzma utility from the 7-zip SDK using the -lc0 option) and patched into the file structure and fixed the md5, then loaded the modded file to the 702 and now I have one html file in all english and the menu shows in english too. Now, to fix enough of the rest of the files to have english--might not be too much work as the two js files I fixed had the most number of strings of any of the files, still lots to mod and figure out, but that is just a detail at this point.

Bit the bullet and load a modded english file to the 702, had to use the 703 gateway addr to get into setup again after the reboot, but all looks OK from what I've tried so far. The modded cn_up that I had tried seemed to be pushing the limits of both flash and RAM in the 702.

Hi jvvh5897, did you manage to load an en version of the firmware into the router, and if so how has the modded en file been working ?
Can you post a link to the file so i can try it on my 702n.
thanks

(Last edited by tahunasky on 5 Jul 2013, 01:47)

Yes, as noted above I did get a modded english file loaded by modifying the 702 hardware byte in two places and then fixing the md5 as posted above. The 702 works, has english menu, scans wifi signals, but I have yet to get it to give me internet on local wifi APs in client mode. I suspect that I just haven't set my PC up correctly rather than problem with the 702 or its current fw. And I haven't been working on it that hard either--so that might be part of why I haven't got it giving internet. Playing with the code was fun and the fix is so simple I don't see why a file need be posted. Many hexedotors have the md5 calculator needed--saw a post on this site about fixing checksums and a few free hexeditors that you can use--it really is easy.

OK, thanks for the info, i will try playing around with it when i get home and hopefully i wont stuff it up.

Oh, I think you will do OK. Just practice the md5 on the file before any mods. There is a md5sum program in ubuntu that would do the md5 calc required and wiki has sample md5 source code that can be compiled under lcc-win32 with ease and you could modify the source to use the md5 substitute string required rather than read the file's string.

BTW, I even got an IT guy to try to get the 702 to work as a client dongle--no joy. I switched back to chinese to see if it would work that way--haven't tested that yet, but the switch back was so easy! Just clicked on the web page while connected to 702's setup and browsed to the file and loaded it right in--no TFTC program, just click. Now, I'm back to looking at chinese and remembering what I need from the english pages. Do like that the chinese survey tells you the security method used rather than just the english, on or off message.

(Last edited by jvvh5897 on 6 Jul 2013, 23:33)

I have used the 702 in client mode, both connected to a pc's rj45 port and also connected to a switch, which a linux server and pc were connected to. Connected to a pc seemed to work fine for windows 7/8. Connected to a switch wasnt reliable - would work for a while then it would stop working. The only way to make it work again was to reboot router.

jvvh5897 wrote:

I took apart the latest english version v3 file, extracted the lzma compressed main code and found the string sent out the serial port when the md5 sum is not correct.

Hi, jvvh
Thanks for your greate post.
But could you give some details about how to find main code?

I have downloaded firmware from this link:
http://www.tp-link.com/resources/softwa … 130528.zip

Get following result via binwalk:
DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
20            0x14          IMG0 (VxWorks) header, size: 1535264
26820         0x68C4        LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 698624 bytes
262292        0x40094       IMG0 (VxWorks) header, size: 1272992
262420        0x40114       LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 3566768 bytes
1235588       0x12DA84      Wind River management filesystem, compressed, 182 files
1244368       0x12FCD0      LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 15228 bytes
........

I think the LZMA compressed data from 0x68C4 is main code, it's about 680kbyte after decompress, as you said before.
I can also find some useful strings such as 'VxWorks5.5.1'.
But I didn't know how to conitnue analyze with IDA now, I drag decompressed main code into IDA, but IDA can't find one function.

There are many MIPS series processor types in IDA, I'm not sure which one should I choose and I don't know how to fill disassembly memory organization info.
Could you help me? What I want to do is analyze the main code and figure out how md5sum is calculated, so I can modify the firmware and then fix checksum.

Thanks.

I use the lzma.exe program from the 7-zip SDK to unpack the code and recompress--it is a command line console program.

Start of compressed info looks like:
6e 00 00 80 00 10

5A 00 00 80 00 B0 13 00--for the web pages.
If your examination finds 0x6e that would be a good place to try a uncompress too.

So look for the starting byte. You can copy to the end of the file from there, lzma.exe will stop when it gets to the end of the compressed info specified in the header that you point it to even if there are more lzma compressed chunks (I had to write a special routine to call lzma to extract the web pages embedded in the file as I pulled them out of the file into a temporary file).

You only get the same 0x5a  start byte in your files if you run lzma with the command line option -lc0:
lzma e wzdwla~1.htm test.bin -lc0

Use options  -lc0 -lp2 to get the 0x6e starting byte.

Don't think that the un-pack part of the lzma code cares in the 702 box, but I did not test that.

The code that starts at 0x68c4 is the compressed part of the boot. You can learn a lot from that code and it is smaller than the main code so less to get in the way--it does seem to have all the code needed to not only boot the box, but do comms on the web and serial port, flash LED and I suspect do a hard reset too with the button.

The main code starts around 0x40000 in the files and is lzma compressed too.

Use the mipsb setting in IDA. I can supply an IDC to help you do the disassembly, but it does not name routines for you. I can supply a list of routines that I have labeled.

BUT, I have already posted how to do the checksum. You overwrite the md5 sum that is at the file start with a specific string and do an md5sum over the whole file with that constant string. Then take the resultant md5 and replace the constant string with your new md5 sum.

Wiki has a basic source code example for md5 that I compiled under lcc-win32--it works just fine and could be modded to replace the string during the sum and relpace the string with the real md5 sum at the end pretty easy. But if you don't plan on modding the code often, a hexeditor could do the job quicker. 

The string you put in place of the md5 sum is:

CC 96 28 EE 8D FB 21 BB 3D EF 6C B5 9F 77 4C 7C

(Last edited by jvvh5897 on 14 Jul 2013, 21:26)

jvvh5897 wrote:

The code that starts at 0x68c4 is the compressed part of the boot. You can learn a lot from that code and it is smaller than the main code so less to get in the way--it does seem to have all the code needed to not only boot the box, but do comms on the web and serial port, flash LED and I suspect do a hard reset too with the button.

The main code starts around 0x40000 in the files and is lzma compressed too.

Use the mipsb setting in IDA. I can supply an IDC to help you do the disassembly, but it does not name routines for you. I can supply a list of routines that I have labeled.

BUT, I have already posted how to do the checksum. You overwrite the md5 sum that is at the file start with a specific string and do

Hi, jvvh

Thanks for your quick reply.
I already success to fix checksum according your instructions.
But it's not enough for me, I want to know how you find this, the process must be more funny than the result.
Seems your IDC will be great useful, could you share it to me?

Thanks very much.