Flashing TP-Link WR841N router with DD-WRT

[soldar]

I picked up from the street a TP-Link WR841N(TPD) Ver 9.0 router. It seems it has some proprietary software from some company that used it to sell services to public places, like restaurants, so customers could use free wifi in exchange for advertising.

The router is configured at 172.16.0.1, 255.255.0.0 and I can connect to it there both by ethernet and by wifi. It responds to ping but when I try with the browser and http I just get a text error message

Unable to launch the requested Lua program:
  /root/gestorConexiones.lua: /root/gestorConexiones.lua:163: attempt to concatenate global 'promotionId' (a nil value)

It seems "lua" is some simple programming language from Brazil. I am guessing the device is trying to call home before even getting started.

With this software it is useless to me and I thought of flashing it with DD-WRT.  Last time I attempted to flash a router I bricked it. In this case it would not be a great loss because it is pretty much useless as it is and because I am doing this for fun. I have more routers than I can use. So let us have a look a possible ways to flash this thing.

1- HTTP & Ethernet. As explained above there is no configuration page I can access. Unless someone has a better idea this seems like a dead end. To use this the router needs to cooperate and it is not.

2- JTAG. The board seems to have a JTAG connector ready to accept a header. I have never used JTAG. Reading about it it seems it uses the old printer parallel port. This seems cumbersome and I think I would rather avoid going this route.

3- USB Next to the JTAG there is a four pin place for a header which I interpret as USB. I wonder about trying this but I suspect it depends on the current firmware supporting it and it probably does not so it is like http & Ethernet. Probably no-go.

4- Removing/desoldering the Flash chip and having someone flash it for me because I do not have the means or inclination to do it. The chip is an 8 pin SMD mx25L3206 which I gather is 32 K bit. Being SMD I would need to be extremely careful but this seems like the most straightforward route to me if i can find someone who can flash the memory chip for me.

5- Other? Return it to the trash?

I guess, in the worst of cases, I can always use it as a switch using the four LAN ports. It does work with the 192.168.x.x LAN. Although the WIFI is on and useless then. Hmmm....

[retiredcaps]

Did you try the hardware reset?

https://www.tp-link.com/ca/support/faq/497/?utm_medium=select-local

https://reset-routers.com/routers/hard-reset-tplink-tlwr841nd/

[retiredcaps]

It looks like this device is 4MB flash 32MB DRAM.  I have a lot of "free" wi-fi routers in this range.

With it, you can choose dd-wrt or openwrt.  I find openwrt less buggy than dd-wrt.  For example, using dd-wrt, I found that simple things like

echo foo > /tmp/test

doesn't work on the K26 build for a Cisco/Linksys router.  No problems with openwrt on the same router.

I'm using a Dlink dir-615 c1 right now, but I found on dd-wrt, that the 2.4Ghz radio would stop responding after a couple of hours to a couple of days.  No problems with openwrt on the exact same router.

With either, I have enabled a simple script to add a hosts file for some ad-blocking at the router level.

On some of my other Cisco/Linksys routers, I HAVE to use dd-wrt because it contains the broadcom proprietary blobs to make 802.11n work.  Openwrt uses open source code and it doesn't support 802.11n speeds with the broadcom chipset.

[tunk]

https://openwrt.org/toh/tp-link/tl-wr841nd

I had a 841v8 which I bricked and IIRC I used TFTP (with network cable) to unbrick it.
Pt. 3: This most likely is 3.3V TTL serial (not RS232).

[retiredcaps]

I should say that openwrt, like all software, isn't perfect either.

I have a Cisco/Linksys E2000 that was running openwrt 17 fine.  I decided to upgrade to 18.0 and the 18.0 software bricked the E2000. 

I haven't yet tried to unbrick using a serial to USB jig.  It's a very low priority given how many "free" wifi routers I have as a backup.  I just hate seeing still useful equipment go to waste.

[magic]

3- USB Next to the JTAG there is a four pin place for a header which I interpret as USB. I wonder about trying this but I suspect it depends on the current firmware supporting it and it probably does not so it is like http & Ethernet. Probably no-go.

LOL, no.
It's almost certainly UART and there is likely a bootloader there. Confirm with a scope and hack away.

[soldar]

Thanks to all who responded.

The thing definitely has some proprietary firmware and resetting does nothing except reset it to the installed firmware. Interestingly it responds to pings of any IP address at all.

Whether to choose DD-WRT or other firmware is for later. I will keep the advice in mind. For now I just need to see if I can get into it.  Yes, I have plenty of free routers. It is just the challenge of recycling this one which somebody dumped.

Pt. 3: This most likely is 3.3V TTL serial (not RS232).

OK. I did a bit of searching and this sounds promising. I measured the voltages at the four header pins with a multimeter because I do not have a 'scope at hand. Starting from one end: 3.2 V (Vcc?), 0 V (Gnd) , 0 V (RxD?), 2.5 (TxD?). I can check again when I get to a 'scope.

At any rate, I have a computer with serial DB9 but I would have to check voltages. It should not be too difficult to build a voltage translator if necessary but I remember building a similar cable many years ago for a GPS and: (1) gnd to gnd, (2) 3V Vcc not connected because each device powers itself and (3) both data wires were connected directly even though I remember the GPS was all 3 V.
Maybe the levels at the DB9 were TTL and not RS232. I will have to check that.

So, let us assume I correctly identify the header on the router board and manage to connect it with a cable to the computer.  Now, say I am in Win XP so I open Hyper Terminal. Gosh, it's been so long. It brings back memories. How do I know speed and other parameters? Just keep trying?

In other words. Once I am connected, what are the steps to get to flashing?

I connect to the board and find a non-cooperative OS or even non responsive OS. Now what?

[tunk]

I think all DB9 serial on PCs are RS232: https://en.wikipedia.org/wiki/RS-232#Voltage_levels
These levels will damage your router.
As for speed you could first try 115200 baud, 8N1.
When you get that running check that you have the uboot bootloader.
Without that I'm not sure if you will get anywhere.

[magic]

Most people use USB-UART cables.

There should be a bootloader before the OS.

tunk's link has instructions for openwrt. For dd-wrt, check their site.

It seems you will need some sort of tftp server. And they say with version 9 you don't even need serial access because it will try to download firmware automatically at boot from some magic IP.

[soldar]

I think all DB9 serial on PCs are RS232: https://en.wikipedia.org/wiki/RS-232#Voltage_levels

You are probably right. I now remember an old Nokia phone and I needed an adapter with a MAX232 adapter IC. So I guess somehow the GPS could use and/or generate RS232 levels.

It should not be difficult to rig a level converter for the modem as this would be a one time thing and later I could use the regular port.

[soldar]

OK, this is my first approximation for a RS232 to TTL 3.3V adapter/converter.

If I use a desktop I can get the +/- 12V from the computer itself. If I use a laptop I can rig some external PSU. It seems there is much latitude in the range here so I could probably even use a couple of wall warts.

It should work. Right?

Some sources say RTS and CTS need to be connected.

OTOH, I could just buy an adapter on eBay for less than a dollar.

[soldar]

A slight variation on the above. I derive the 3.3V from the 12 V instead of taking it from the router. Maybe a bit safer like that.

[soldar]

When you get that running check that you have the uboot bootloader.
Without that I'm not sure if you will get anywhere.

The uboot bootloader? Is this something I should find installed? Or something I need to have on my side?

If it is something I need to find installed, what happens if it is not there?

I guess my question is, once I manage to get some kind of communication through that serial port, what do I do? What do I type and what response should I get?

[retiredcaps]

The uboot bootloader?

I guess my question is, once I manage to get some kind of communication through that serial port, what do I do? What do I type and what response should I get?

See the link tunk provided earlier.

It's all in there.

=== snip ===

 After connecting, you will be greeted by something like this:

AP93 (ar7240) U-boot
DRAM: 

[soldar]

Thanks. So it is something that needs to be in there already. What are the chances it is not in there? That they just flashed the thing and had no provision for changing the firmware?  I guess it would be pretty unlikely?

I'd hate to build the adapter thing only to find out the thing doesn't respond.  Oh well. I guess I'll go ahead anyway.

[soldar]

OK, I managed to connect and get some output (in attached file).

Code: [Select]


U-Boot 1.1.4 (Build from LSDK-9.5.3.16 at Oct 13 2014 - 17:01:20)

ap143 - Honey Bee 1.1

DRAM:   32 MB
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x16
Flash:  4 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
ath_gmac_enet_initialize: reset mask:0xc02200
Scorpion ---->S27 PHY*
S27 reg init
GMAC: cfg1 0x800c0000 cfg2 0x7114
eth0: ba:be:fa:ce:08:41
athrs27_phy_setup ATHR_PHY_CONTROL 4:0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4:0x10
eth0 up
Honey Bee ---->  MAC 1 S27 PHY*
S27 reg init
ATHRS27: resetting s27
ATHRS27: s27 reset done
GMAC: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
athrs27_phy_setup ATHR_PHY_CONTROL 0:0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0:0x10
athrs27_phy_setup ATHR_PHY_CONTROL 1:0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1:0x10
athrs27_phy_setup ATHR_PHY_CONTROL 2:0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2:0x10
athrs27_phy_setup ATHR_PHY_CONTROL 3:0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3:0x10
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x5cb9a100
is_auto_upload_firmware=0
Autobooting in 1 seconds
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Linux version 3.10.49 (pablo@pablo-SC) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r44049) ) #197 Wed Sep 2 11:17:41 CEST 2015
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Qualcomm Atheros QCA9533 rev 1
[    0.000000] Clocks: CPU:550.000MHz, DDR:395.288MHz, AHB:197.644MHz, Ref:25.000MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x01ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x01ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
[    0.000000] Kernel command line:  board=TL-WR841N-v9 console=ttyS0,115200 rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[    0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 28720k/32768k available (2253k kernel code, 4048k reserved, 597k data, 284k init, 0k highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.000000] Calibrating delay loop... 366.18 BogoMIPS (lpj=1830912)
[    0.060000] pid_max: default: 32768 minimum: 301
[    0.060000] Mount-cache hash table entries: 512
[    0.070000] NET: Registered protocol family 16
[    0.070000] MIPS: machine is TP-LINK TL-WR841N/ND v9
[    0.490000] bio: create slab <bio-0> at 0
[    0.490000] Switching to clocksource MIPS
[    0.500000] NET: Registered protocol family 2
[    0.500000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[    0.510000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[    0.520000] TCP: Hash tables configured (established 512 bind 512)
[    0.520000] TCP: reno registered
[    0.530000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.530000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.540000] NET: Registered protocol family 1
[    0.560000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.560000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.580000] msgmni has been set to 56
[    0.580000] io scheduler noop registered
[    0.580000] io scheduler deadline registered (default)
[    0.590000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.620000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[    0.620000] console [ttyS0] enabled, bootconsole disabled
[    0.620000] console [ttyS0] enabled, bootconsole disabled
[    0.640000] ath79-spi ath79-spi: master is unqueued, this is deprecated
[    0.640000] m25p80 spi0.0: found mx25l3205d, expected m25p80
[    0.650000] m25p80 spi0.0: mx25l3205d (4096 Kbytes)
[    0.660000] 5 tp-link partitions found on MTD device spi0.0
[    0.660000] Creating 5 MTD partitions on "spi0.0":
[    0.670000] 0x000000000000-0x000000020000 : "u-boot"
[    0.670000] 0x000000020000-0x000000123500 : "kernel"
[    0.680000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.690000] 0x000000123500-0x0000003f0000 : "rootfs"
[    0.700000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.710000] mtd: device 2 (rootfs) set to be root filesystem
[    0.720000] 1 squashfs-split partitions found on MTD device rootfs
[    0.730000] 0x000000370000-0x0000003f0000 : "rootfs_data"
[    0.730000] 0x0000003f0000-0x000000400000 : "art"
[    0.740000] 0x000000020000-0x0000003f0000 : "firmware"
[    0.770000] libphy: ag71xx_mdio: probed
[    1.330000] ag71xx-mdio.1: Found an AR934X built-in switch
[    2.360000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[    2.920000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd042, driver=Generic PHY]
[    2.930000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[    2.940000] TCP: cubic registered
[    2.940000] NET: Registered protocol family 17
[    2.950000] 8021q: 802.1Q VLAN Support v1.8
[    2.960000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    2.970000] Freeing unused kernel memory: 284K (80329000 - 80370000)
procd: Console is alive
procd: - watchdog -
procd: - preinit -
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
jffs2 is ready
jffs2 is ready
[    9.980000] jffs2: notice: (302) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 14 of xref (0 dead,0 orphan) found.
switching to overlay
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[   11.490000] NET: Registered protocol family 10
[   11.510000] nf_conntrack version 0.5.0 (453 buckets, 1812 max)
[   11.520000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   11.530000] Netfilter messages via NETLINK v0.30.
[   11.540000] ip_set: protocol 6
[   11.580000] u32 classifier
[   11.580000]     input device check on
[   11.580000]     Actions configured
[   11.590000] Mirror/redirect action on
[   11.600000] Failed to load ipt action
[   11.640000] Loading modules backported from Linux version master-2014-05-22-0-gf2032ea
[   11.650000] Backport generated by backports.git backports-20140320-37-g5c33da0
[   11.660000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   11.760000] xt_time: kernel timezone is -0000
[   11.800000] cfg80211: Calling CRDA to update world regulatory domain
[   11.800000] cfg80211: World regulatory domain updated:
[   11.810000] cfg80211:  DFS Master region: unset
[   11.810000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   11.820000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   11.830000] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   11.840000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[   11.850000] cfg80211:   (5170000 KHz - 5250000 KHz @ 160000 KHz), (N/A, 2000mBm), (N/A)
[   11.860000] cfg80211:   (5250000 KHz - 5330000 KHz @ 160000 KHz), (N/A, 2000mBm), (0 s)
[   11.870000] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000mBm), (0 s)
[   11.870000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   11.880000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0mBm), (N/A)
[   11.960000] PPP generic driver version 2.4.2
[   11.970000] NET: Registered protocol family 24
[   12.050000] cfg80211: Calling CRDA for country: US
[   12.060000] cfg80211: Regulatory domain changed to country: US
[   12.060000] cfg80211:  DFS Master region: FCC
[   12.070000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   12.080000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[   12.080000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 1700 mBm), (N/A)
[   12.090000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz), (N/A, 2300 mBm), (0 s)
[   12.100000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[   12.110000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[   12.120000] ieee80211 phy0: Atheros AR9531 Rev:1 mem=0xb8100000, irq=2
[   21.960000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   21.960000] device eth0 entered promiscuous mode
[   21.970000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   22.000000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
procd: - init complete -
[   24.430000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   24.450000] device wlan0 entered promiscuous mode
[   30.650000] br-lan: port 2(wlan0) entered forwarding state
[   30.660000] br-lan: port 2(wlan0) entered forwarding state
[   30.660000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   30.680000] device wlan0-1 entered promiscuous mode
[   30.690000] br-lan: port 3(wlan0-1) entered forwarding state
[   30.690000] br-lan: port 3(wlan0-1) entered forwarding state
[   30.700000] IPv6: ADDRCONF(NETDEV_UP): wlan0-1: link is not ready
[   30.720000] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   30.720000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0-1: link becomes ready
[   32.660000] br-lan: port 2(wlan0) entered forwarding state
[   32.690000] br-lan: port 3(wlan0-1) entered forwarding state


It seems it is running some mod-version of Openwrt:

Starting kernel ... [0.000000] Linux version 3.10.49 (pablo@pablo-SC) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r44049)

It looks like this device is 4MB flash 32MB DRAM.  I have a lot of "free" wi-fi routers in this range.

With it, you can choose dd-wrt or openwrt.  I find openwrt less buggy than dd-wrt. 

Openwrt says it is not recommended:

https://openwrt.org/toh/tp-link/tl-wr841nd



This device is NOT RECOMMENDED for future use with OpenWrt due to low flash/ram.
DO NOT BUY DEVICES WITH 4MB FLASH / 32MB RAM if you intend to flash an up-to-date and secure OpenWrt version (18.06 or later) onto it! See 4/32 warning for details.

1) This device does not have sufficient resources (flash and/or RAM) to provide secure and reliable operation.
This means that even setting a password or changing simple network settings might not be possible any more, rendering the device effectively useless. See OpenWrt on 4/32 devices what you can do now.

2) OpenWrt support for this device will end after 2019.
19.07 will be the last official build for 4/32 devices. After 19.07, no further OpenWrt images will be built for 4/32 devices. See OpenWrt on 4/32 devices what you can do now.

I haven't gone deeply into the issue. It seems may be some older version might work.

What would you recommend I do? Does DD-WRT need less resources?

What I am thinking is to install the TP-Link firmware first. But the instructions are for installing it via ethernet-HTTP.

I am communicating with the router via the parallel port. The first issue is how could I install the firmware or enable the ethernet-http interface?

[retiredcaps]

What would you recommend I do? Does DD-WRT need less resources?

If you want to use this router long term, then probably stay with dd-wrt?  It might be more likely to stay with its 4/32?

4/32 runs fine on my dlink dir-615 (even with an hosts file for adblocking).   Once openwrt drops 4/32, I will retry dd-wrt in hopes the 802.11n radio code is not broken like it is now.  If not, the next "free router" with 8/64 comes into play.

I am communicating with the router via the parallel port. The first issue is how could I install the firmware or enable the ethernet-http interface?

If it were me, I would just do the TFTP install/recovery via serial and install openwrt on it first.  After you get vanilla openwrt to load, then flash over to dd-wrt.

[soldar]

If it were me, I would just do the TFTP install/recovery via serial and install openwrt on it first.  After you get vanilla openwrt to load, then flash over to dd-wrt.

Thanks but I have no idea how to do this. When I start the router it sends thatlong text out but it does not seem to respond to anything I type. What should I do and what should it do?

[Black Phoenix]

May be this can help:

https://openwrt.org/toh/tp-link/tl-wr841nd

TFTP recovery via bootloader for v8,v9,v10,v11,v12,v13

As most other current TP-Link routers this device can be flashed and debricked without serial access. Basically, the procedure is as follows:

    Set your PC to use the static IP address 192.168.0.66 (the router will have 192.168.0.86)
    Put an OpenWrt factory image named: for v8 mr3420v2_tp_recovery.bin or wr841nv8_tp_recovery.bin (for v8.4); for v9 wr841nv9_tp_recovery.bin; for v10 wr841nv10_tp_recovery.bin; for v11 and v12 wr841nv11_tp_recovery.bin; for v13 tp_recovery.bin in the root directory of an TFTP server and start it. For v12 you still need a v12 firmware. Just the filename has to be named as a v11 device!
    Power on the router while pressing the reset button until the lock LED is lighting up
    Wait for the router to reboot

:!:WARNING! For hardware version 13, it is very likely that u-boot will be erased while using this method, as most mediatek SOC models tend to! Therefore, do NOT flash sysupgrade image using TFTP! Instead, follow the instructions described here: tftp_recovery_de-bricking for the factory image, for OpenWrt image, you must append the bootloader using dd. If the bootloader gets overwritten, the only way out is to use a SPI flash programmer to reflash it. Latest version TFTP image seems to work as described above without modification

TFTP server log may contain info about firmware image name that router requested. Something like: Read request for file <wr841nv8_tp_recovery.bin> . Mode octet [21/11 09:45:27.574]

For details, see reset_button_method_no_serial_cable_needed

You also have another recovery methods, as the one above this one I posted.

TFTP install/recovery via serial

For v8,v9,v10,v11,v12 TFTP install is much easier

Beware that this installation method needs a TTL level serial console usb to TTL like DKU-5 data cable or RS232-TTL level shifter like this:



and a working TFTP server and should not be attempted unless you have experience with this sort of thing or are eager to learn.

This is taken more or less verbatim from https://forum.openwrt.org/viewtopic.php?id=24203, thanks to dl3daz.

    Download an appropriate image to serve from your TFTP server (for example, openwrt-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin for v8).
    Hook your routers WAN ethernet port up to your network (for v8.2 it's LAN1 ethernet port)
    Hook up the serial console as explained in the section “serial console”. At the prompt “Autobooting in 1 seconds” type “tpl” quickly to start a uboot console.
    Now we need to set router and server IP addresses (here named ROUTERIP and SERVERIP, substitute these with the real IP addresses).

Type in the console:

setenv ipaddr ROUTERIP
setenv serverip SERVERIP
printenv

For example: Configure this static ip for your LAN card 192.168.1.100. If your computer containing other LAN or Wifi card, disable it!

Type in the console

setenv ipaddr 192.168.1.111
setenv serverip 192.168.1.100

192.168.1.111 is the router ip, 192.168.1.100 is the TFTP server ip.

    Double check that the output of printenv lists the IP addresses you just set.
    Uboot needs the tftp server to be listening on port 69. Make sure your server is configured to listen to that port. Now we can load the firmware over TFTP with “tftpboot 0x80000000 openwrt-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin”:

    ar7240> tftpboot 0x80000000 openwrt-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin
    Using eth0 device
    TFTP from server 192.168.1.100; our IP address is 192.168.1.111
    Filename 'openwrt-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin'.
    Load address: 0x80000000
    Loading: checksum bad
    #################################################################
             #################################################################
             #################################################################
             #################################################################
             #################################################################
             #################################################################
             #################################################################
             #################################################################
             #################################################################
             #################################################################
             #################################################################
             ######################################################
    done
    Bytes transferred = 3932160 (3c0000 hex)

    Note the “3c0000” in the last line (your number may differ). Now execute the following commands, if necessary replacing 3c0000 with the number you got from tftpboot

Type:

printenv bootcmd

Take note of the address and use it as flash erase start address.

For TL-WR841ND v3:

1. Erase the flash:

 ar7100> erase 0xbf020000 +0x3c0000
                                                                             
First 0x2 last 0x3d sector size 0x10000                                     
  61                                                                         
Erased 60 sectors

2.Copy RAM content to flash:

 ar7100> cp.b 0x80000000 0xbf020000 0x3c0000                                 
Copy to Flash... write addr: bf020000                       
done

3.Reset

 ar7100> reset                                               
                                                           
Resetting...

4. Done.

For TL-WR841ND v5, v7, v8, v9:

1. Erase the flash:

wasp> erase 0x9f020000 +0x3c0000

2. Copy RAM content to flash:

wasp> cp.b 0x80000000 0x9f020000 0x3c0000

3. Set up the boot

wasp> bootm 0x9f020000
## Booting image at 9f020000 ...
Uncompressing Kernel Image ... OK

Starting kernel ...

4. Done.

By putting it on the default openwrt firmware then you can go the factory firmware and finish with the dd-wrt.

[magic]

In fact, using serial, it is possible to test run an image before writing it to flash. Run tftpboot to download and then proceed straight to bootm.

[soldar]

May be this can help:

https://openwrt.org/toh/tp-link/tl-wr841nd

Yeah, thanks, I have been reading that page for some time now but not making progress.

I suspect my laptop terminal may be receiving from the router but the router is not receiving from the terminal because I see no response.

Measuring voltage levels at the laptop serial port they are about +/- 4.1 volt and not the full +/- 12 V specified for RS232. This may be interfering. I don't know. So that is the first problem that would need to be resolved. Making sure there is good communication both ways. At this point I only know I am receiving from the router.

And, getting back to the https://openwrt.org/toh/tp-link/tl-wr841nd page,, it says it requires "a working TFTP server and should not be attempted unless you have experience with this sort of thing or are eager to learn".

Well, some years ago, after spending many hours with a Linksys router I managed to brick it and this time around I have a feeling I may be on the same course. I think the amount of time and effort I would need to sink into this project is not really justified, especially since it is a one-time thing.

For the time being I think I am putting it on hold and may take it up later if and when I feel like it.

[tunk]

According to wikipedia the RS232 voltage levels are +/- 3-15V.
From the openwrt page, you may have to remove R26 to get a fully working serial.

[soldar]

According to wikipedia the RS232 voltage levels are +/- 3-15V.

True. So +/- 4 should be within specs. Good to know.

From the openwrt page, you may have to remove R26 to get a fully working serial.

Good catch. I had missed that. But, I have been looking into this and, for now, I do not think that is the cause of the problem. It says "It's a pull-up between RX (device side) and VCC" but I measure 0 Volts so, if anything, in my case it would be a pull-down.

I do not see activity in the RS232 TxD pin so I think the laptop is just not sending data. And I suspect it may be because every simple RS232 connection I have made requires some more pins to be connected. Sometime RTS to CTS, sometimes DTR, DCD or other pins require to be connected to some other pin or Vcc or Gnd. I think this is the most likely cause of the laptop not sending data.  I will keep looking into this.

[rsjsouza]

I do not see activity in the RS232 TxD pin so I think the laptop is just not sending data. And I suspect it may be because every simple RS232 connection I have made requires some more pins to be connected. Sometime RTS to CTS, sometimes DTR, DCD or other pins require to be connected to some other pin or Vcc or Gnd. I think this is the most likely cause of the laptop not sending data.  I will keep looking into this.

Did you select Flow control: None on the Hyperterminal? This prevents it from waiting for the CTS signal to be asserted.

[soldar]

Did you select Flow control: None on the Hyperterminal? This prevents it from waiting for the CTS signal to be asserted.

Ha, ha! I was playing around and just discovered that!. Actually I found that selecting Xon/Xoff also shows activity in the TxD pin.

Now the thing is that I see activity in the RS232 pin 8 (input) but nothing on the corresponding output which is pin 9. So now I am faced with troubleshooting the converter hardware.

I keep saying I am abandoning but then I keep going back just "one more time".

E.T.A.: It seems R26 is a pull-down resistor, not pull-up, and the output of the voltage converter is open collector so no wonder it was not working. I need to provide a pull-up resistor and it seems it may have to be low value. I do not want to remove that R26 pull-down. I would rather provide more current to pull it up.

[soldar]

OK, slowly making progress. I fitted a pull-up resistor as shown and now the modem receives data from the laptop.


Now, after I start up the router I get the same wall of text as before and then I hit enter and "help"and this is what I get:

Code: [Select]

BusyBox v1.22.1 (2015-01-19 11:49:24 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 BARRIER BREAKER (Barrier Breaker, r44049)
 -----------------------------------------------------
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 -----------------------------------------------------
root@OpenWrt:/# help
Built-in commands:
------------------
        . : [ [[ alias bg break cd chdir command continue echo eval exec
        exit export false fg getopts hash help history jobs kill let
        local printf pwd read readonly return set shift source test times
        trap true type ulimit umask unalias unset wait

root@OpenWrt:/#
So it seems I am logged into OpenWRT.
Now what?

[soldar]

Stuck again.  I found out I can stop the booting into Openwrt by typing "tpl" when it says "Autobooting in 1 seconds". It is impossible to type it in fast enough but I can paste it just in time.

So I can avoid booting into Openwrt and stay in uboot (I guess).  And then I have the following commands:

Code: [Select]


U-Boot 1.1.4 (Build from LSDK-9.5.3.16 at Oct 13 2014 - 17:01:20)
hb> help
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase FLASH memory
help    - print online help
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
progmac - Set ethernet MAC addresses
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
hb>
I tried ping and it gets a response via the Ethernet port.

But I still have no idea how to change the firmware.

[Black Phoenix]

You have to load the image of the firmware now via TFTP:

tftpboot- boot image via network using TFTP protocol

You need to have a PC with a TFTP Server enable and in that server you have the file that is the image to load.

Then by selecting the TFTP option above, you put the IP of the TFTP server and the file should be downloaded to the Router and installed.

[soldar]

This exercise has been extremely frustrating but after many hours of trial and error I managed to load successfully Openwrt V15.  I am very surprised I did not brick the router in the process because I did it wrong over 20 times until I succeeded. 

After many hours of trying I found this video https://www.youtube.com/watch?v=RtqVKNfuxWM?t=0 (over an hour long!) and following the instructions I managed to load Openwrt V15 which I now have running on the router and I am playing with it. I suppose if I want to flash the router with a new OS I can do it from there and not go through the entire rigamarole again.

The instructions are complex and prone to making mistakes. I could not find anywhere a detailed explanation of the syntax of tftpboot and it was very frustrating.

tftpboot 0x80000000 openwrt-15.05.1-ar71xx-generic-tl-wr841n-v9-squashfs-factory.bin

erase 0x9f020000 +0x3c0000

cp.b 0x80000000 0x9f020000 3c0000

reset

Anyway, all's well that ends well.

I will now spend some time learning a bit about Openwrt and see what I can do with it.  I would like to block some IP addresses and another thing I'd like is a VPN but I do not think I have seen any VPN configuration in the menus.

After some playing it can replace another router I have, a TPLink WR340G, with all the menus and interface in Chinese. Maybe that can be the next flashee.