The TL-WR703N piratebox exploration
Today, just trying again at configuring a pirate box in TL-WR703N. A while ago, I got it working for a while, but then the Sandisk 16gig somehow ended up dying. Haven’t touched it since. Now just trying to see what can be done with it, and if I can reinstall it (on a 4gig flash drive, Sandisk nonetheless)
Serial: 11520 baud
Useful to note that if you stuff things up in OpenWrt for TL-WR703N that you can revert the damage via typing openwrt reset -r mtd -r erase rootfs_data
Also soldered into TL-WR703N, is a stereo plug that is acting as a cheap way to implement a TTL logic level UART port for interfacing with the board’s linux console terminal over serial (via Putty).
TRS Plug (What I chose, based on most common configuration I seen online)
(Remember that Tx->Rx and Rx->Tx)
PLUG SIDE (To USB to serial converter
TIP , RING , SLEEVE
Txd , Rxd , Ground
PORTSIDE (wired to board UART)
TIP , RING , SLEEVE
Rxd , Txd , Ground
Having bit of difficulty in getting the usb to mount, possibly due to the need to install usb mounting package. But to install packages, I need an internet connection :/ . Well my router has DHCP, so we can go from there (Static IPs are bloody annoying).
Configuring /etc/config/network (via vi)
Notice specifically that I switched the option for ‘proto’ to ‘dhcp’
root@OpenWrt:/etc# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option proto 'dhcp'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
Working out how to reset the network daemon
root@OpenWrt:/etc# /etc/init.d/
boot dnsmasq firewall rcS telnet usb
cron done led sysctl ubus watchdog
defconfig dropbear network sysntpd umount
root@OpenWrt:/etc# /etc/init.d/network
Syntax: /etc/init.d/network [command]
Available commands:
start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if that fails)
enable Enable service autostart
disable Disable service autostart
root@OpenWrt:/etc# /etc/init.d/network reload
[ 4768.420000] br-lan: port 1(eth0) entered disabled state
[ 4768.450000] device eth0 left promiscuous mode
[ 4768.450000] br-lan: port 1(eth0) entered disabled state
[ 4768.450000] eth0: link down
[ 4768.480000] device eth0 entered promiscuous mode
'radio0' is disabled
[ 4769.250000] eth0: link up (100Mbps/Full duplex)
[ 4769.250000] br-lan: port 1(eth0) entered forwarding state
[ 4769.250000] br-lan: port 1(eth0) entered forwarding state
'radio0' is disabled
'radio0' is disabled
root@OpenWrt:/etc# [ 4771.250000] br-lan: port 1(eth0) entered forwarding state
Yay! Internet access!
TIP: Control z will quit any program you are running at the moment in command line.
root@OpenWrt:/etc# ping google.com
PING google.com (74.125.237.96): 56 data bytes
64 bytes from 74.125.237.96: seq=0 ttl=55 time=27.968 ms
64 bytes from 74.125.237.96: seq=1 ttl=56 time=31.212 ms
64 bytes from 74.125.237.96: seq=2 ttl=56 time=30.802 ms
^Z[3]+ Stopped ping google.com
root@OpenWrt:/etc#
On upgrading OpenWrt (and the need for usb driver)
I already installed OpenWrt, and based on tl-wr703n#flashing page in openwrt wiki, you need to flash a factory and then a sysupgrade. I was pretty confused on the difference between the two until stitch626 in https://forum.openwrt.org/viewtopic.php?id=34572 pointed this out from the FAQ.
What is the difference between the different image formats?
a factory image is one built for the bootloader flasher or stock software flasher
a sysupgrade image (previously named trx image) is designed to be flashed from within openwrt itself
What this means, is that I have already installed the ‘factory’ replacement image, my best guess is that it holds the openwrt fail safes etc… think of it as the ‘openwrt BIOS’.
Which means, what I really should be doing, is updating the sysupgrade image of the system.
cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin
sysupgrade openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin
reboot
hmmm… It seems that a fresh install of openwrt does not include usb support (needed to install piratebox install script in usb drive). Looking at http://en.code-bude.net/2013/02/16/how-to-increase-storage-on-tp-link-wr703n-with-extroot/ Trying ‘ls /dev/sd*` shows no directory or file, indicating no flash drive mounted.
#Update package list
opkg update
#Install USB storage support
opkg install kmod-usb-storage
in http://wiki.openwrt.org/doc/howto/usb.storage
opkg update
opkg install kmod-usb-storage block-mount block-hotplug kmod-fs-ext4 kmod-fs-vfat kmod-nls-cp437 kmod-nls-iso8859-1
mkdir -p /mnt/usb
mount -t vfat /dev/sda1 /mnt/usb
Don’t forget to type reboot
after installing usb support, otherwise you gonna go crazy. ( opkg install kmod-scsi-generic
may also be required… not sure)
bricked!
Somehow after following the pirate box instruction, I got it stuck in a autoreset loop during the install process. http://piratebox.cc/openwrt:diy (edit: Okay, so I am an idiot, I forgot one critical instruction to place a modified “*squashfs-factory.bin” on the root directory of the flash drive)
U-Boot 1.1.4 (Feb 28 2012 - 11:58:24)
AP121 (ar9330) U-boot
DRAM: 32 MB
led turning on for 1s...
id read 0x100000ff
flash size 4194304, sector count = 64
Flash: 4 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ag7240_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
: cfg1 0x5 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
ag7240_phy_setup
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
ag7240_phy_setup
eth1 up
eth0, eth1
Autobooting in 1 seconds
## Booting image at 9f020000 ...
Uncompressing Kernel Image ... Too big uncompressed streamLZMA ERROR 1 - must RESET
Typed tpl
very quickly after Autobooting in 1 seconds
is shown, getting me into some sort of failsafe of failsafes. (I suspect it is a CFE (Common Firmware Environment) command line http://wiki.openwrt.org/doc/techref/bootloader/cfe )
U-Boot 1.1.4 (Feb 28 2012 - 11:58:24)
AP121 (ar9330) U-boot
DRAM: 32 MB
led turning on for 1s...
id read 0x100000ff
flash size 4194304, sector count = 64
Flash: 4 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ag7240_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
: cfg1 0x5 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
ag7240_phy_setup
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
ag7240_phy_setup
eth1 up
eth0, eth1
Autobooting in 1 seconds
hornet> help
? - alias for 'help'
bootm - boot application image from memory
cp - memory copy
erase - erase FLASH memory
help - print online help
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
progmac - Set ethernet MAC addresses
reset - Perform RESET of the CPU
setenv - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
After getting an TFTP client and following http://forums.openpilot.org/blog/52/entry-92-unbrick-wr703n-wifi-router/ http://www.tricksguide.com/how-to-setup-a-tftp-server-tftpd32-windows.html
Using http://www.rfactory.org/OpenWRT/download/ipscan.exe to scan for the ip of the device.
This is all confusing and not working… On checking http://staticky.com/ar725w.html for a different device, I saw something simular using tftp only
tftp 8A800000 openwrt.bin
protect off BC450000 BC7DFFFF
erase BC450000 BC7DFFFF
cp.b 8A800000 BC450000 $(filesize)
bootm
The author has a nice description of what the above does “This downloads the firmware image to RAM (which begins at 0x80000000), unprotects the safe area of the flash chip, erases said flash space and then copies (writes) onto the flash chip from the RAM image. The bootm command boots the image in 0xBC450000 by default. It is also useful for booting an uImage in memory, like the kernel+initramfs images that OpenWRT can build. In that case, something like bootm 8a800000 works.”
This makes more sense on how the below lines of commands in http://forums.openpilot.org/blog/52/entry-92-unbrick-wr703n-wifi-router/ works.
hornet> tftpboot 0x81000000 openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin
hornet> erase 0x9f020000 +0x3c0000
hornet> cp.b 0x81000000 0x9f020000 0x3c0000
hornet> bootm 9f020000
Okay I think this is using Das U-boot bootloader. I could try uploading over serial, but man… there is no good kermit or ymodem programs for windows (Haven’t yet transitined to linux yet D: )
http://www.jackslab.org/?portfolio=u-boot-quick-start
Ooooh so there is more commands under Uboot e.g. tftp http://support.atmel.no/knowledgebase/avr32studiohelp/com.atmel.avr32.tool.ngw100/html/u_boot_command_reference.html
Ahhh screw this… I think trying to get this working over tftp under windows is screwed up… I’ll shelve this, until maybe I find a kermit serial modem thing in python or something