The TL-WR703N piratebox exploration

Today, just trying again at configuring a pirate box in TL-WR703N. A while ago, I got it working for a while, but then the Sandisk 16gig somehow ended up dying. Haven’t touched it since. Now just trying to see what can be done with it, and if I can reinstall it (on a 4gig flash drive, Sandisk nonetheless)

Serial: 11520 baud

Useful to note that if you stuff things up in OpenWrt for TL-WR703N that you can revert the damage via typing openwrt reset -r mtd -r erase rootfs_data

Also soldered into TL-WR703N, is a stereo plug that is acting as a cheap way to implement a TTL logic level UART port for interfacing with the board’s linux console terminal over serial (via Putty).

TRS Plug (What I chose, based on most common configuration I seen online) 
(Remember that Tx->Rx and Rx->Tx)

PLUG SIDE (To USB to serial converter
TIP , RING , SLEEVE
Txd , Rxd  , Ground

PORTSIDE (wired to board UART)
TIP , RING , SLEEVE
Rxd , Txd  , Ground

Having bit of difficulty in getting the usb to mount, possibly due to the need to install usb mounting package. But to install packages, I need an internet connection :/ . Well my router has DHCP, so we can go from there (Static IPs are bloody annoying).

Configuring /etc/config/network (via vi)

Notice specifically that I switched the option for ‘proto’ to ‘dhcp’

root@OpenWrt:/etc# cat /etc/config/network
config interface 'loopback'
		option ifname 'lo'
		option proto 'static'
		option ipaddr '127.0.0.1'
		option netmask '255.0.0.0'

config interface 'lan'
		option ifname 'eth0'
		option type 'bridge'
		option proto 'dhcp'
		option ipaddr '192.168.1.1'
		option netmask '255.255.255.0'

Working out how to reset the network daemon

root@OpenWrt:/etc# /etc/init.d/
boot       dnsmasq    firewall   rcS        telnet     usb
cron       done       led        sysctl     ubus       watchdog
defconfig  dropbear   network    sysntpd    umount
root@OpenWrt:/etc# /etc/init.d/network
Syntax: /etc/init.d/network [command]

Available commands:
		start   Start the service
		stop    Stop the service
		restart Restart the service
		reload  Reload configuration files (or restart if that fails)
		enable  Enable service autostart
		disable Disable service autostart

root@OpenWrt:/etc# /etc/init.d/network reload
[ 4768.420000] br-lan: port 1(eth0) entered disabled state
[ 4768.450000] device eth0 left promiscuous mode
[ 4768.450000] br-lan: port 1(eth0) entered disabled state
[ 4768.450000] eth0: link down
[ 4768.480000] device eth0 entered promiscuous mode
'radio0' is disabled
[ 4769.250000] eth0: link up (100Mbps/Full duplex)
[ 4769.250000] br-lan: port 1(eth0) entered forwarding state
[ 4769.250000] br-lan: port 1(eth0) entered forwarding state
'radio0' is disabled
'radio0' is disabled
root@OpenWrt:/etc# [ 4771.250000] br-lan: port 1(eth0) entered forwarding state

Yay! Internet access!

TIP: Control z will quit any program you are running at the moment in command line.

root@OpenWrt:/etc# ping google.com
PING google.com (74.125.237.96): 56 data bytes
64 bytes from 74.125.237.96: seq=0 ttl=55 time=27.968 ms
64 bytes from 74.125.237.96: seq=1 ttl=56 time=31.212 ms
64 bytes from 74.125.237.96: seq=2 ttl=56 time=30.802 ms
^Z[3]+  Stopped                    ping google.com
root@OpenWrt:/etc#

On upgrading OpenWrt (and the need for usb driver)

I already installed OpenWrt, and based on tl-wr703n#flashing page in openwrt wiki, you need to flash a factory and then a sysupgrade. I was pretty confused on the difference between the two until stitch626 in https://forum.openwrt.org/viewtopic.php?id=34572 pointed this out from the FAQ.

What is the difference between the different image formats?
	a factory image is one built for the bootloader flasher or stock software flasher
	a sysupgrade image (previously named trx image) is designed to be flashed from within openwrt itself

What this means, is that I have already installed the ‘factory’ replacement image, my best guess is that it holds the openwrt fail safes etc… think of it as the ‘openwrt BIOS’.

Which means, what I really should be doing, is updating the sysupgrade image of the system.

cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin
sysupgrade openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin
reboot

hmmm… It seems that a fresh install of openwrt does not include usb support (needed to install piratebox install script in usb drive). Looking at http://en.code-bude.net/2013/02/16/how-to-increase-storage-on-tp-link-wr703n-with-extroot/ Trying ‘ls /dev/sd*` shows no directory or file, indicating no flash drive mounted.

#Update package list
opkg update
#Install USB storage support
opkg install kmod-usb-storage

in http://wiki.openwrt.org/doc/howto/usb.storage

opkg update
opkg install kmod-usb-storage block-mount block-hotplug kmod-fs-ext4 kmod-fs-vfat kmod-nls-cp437 kmod-nls-iso8859-1
mkdir -p /mnt/usb
mount -t vfat /dev/sda1 /mnt/usb

Don’t forget to type reboot after installing usb support, otherwise you gonna go crazy. ( opkg install kmod-scsi-generic may also be required… not sure)

bricked!

Somehow after following the pirate box instruction, I got it stuck in a autoreset loop during the install process. http://piratebox.cc/openwrt:diy (edit: Okay, so I am an idiot, I forgot one critical instruction to place a modified “*squashfs-factory.bin” on the root directory of the flash drive)

U-Boot 1.1.4 (Feb 28 2012 - 11:58:24)

AP121 (ar9330) U-boot

DRAM:  32 MB
led turning on for 1s...
id read 0x100000ff
flash size 4194304, sector count = 64
Flash:  4 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
: cfg1 0x5 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
ag7240_phy_setup
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
ag7240_phy_setup
eth1 up
eth0, eth1
Autobooting in 1 seconds
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... Too big uncompressed streamLZMA ERROR 1 - must RESET

Typed tpl very quickly after Autobooting in 1 seconds is shown, getting me into some sort of failsafe of failsafes. (I suspect it is a CFE (Common Firmware Environment) command line http://wiki.openwrt.org/doc/techref/bootloader/cfe )

U-Boot 1.1.4 (Feb 28 2012 - 11:58:24)

AP121 (ar9330) U-boot

DRAM:  32 MB
led turning on for 1s...
id read 0x100000ff
flash size 4194304, sector count = 64
Flash:  4 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
: cfg1 0x5 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
ag7240_phy_setup
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
ag7240_phy_setup
eth1 up
eth0, eth1
Autobooting in 1 seconds
hornet> help
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase FLASH memory
help    - print online help
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
progmac - Set ethernet MAC addresses
reset   - Perform RESET of the CPU
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version

After getting an TFTP client and following http://forums.openpilot.org/blog/52/entry-92-unbrick-wr703n-wifi-router/ http://www.tricksguide.com/how-to-setup-a-tftp-server-tftpd32-windows.html

Using http://www.rfactory.org/OpenWRT/download/ipscan.exe to scan for the ip of the device.

This is all confusing and not working… On checking http://staticky.com/ar725w.html for a different device, I saw something simular using tftp only

tftp 8A800000 openwrt.bin
protect off BC450000 BC7DFFFF
erase BC450000 BC7DFFFF
cp.b 8A800000 BC450000 $(filesize)
bootm

The author has a nice description of what the above does “This downloads the firmware image to RAM (which begins at 0x80000000), unprotects the safe area of the flash chip, erases said flash space and then copies (writes) onto the flash chip from the RAM image. The bootm command boots the image in 0xBC450000 by default. It is also useful for booting an uImage in memory, like the kernel+initramfs images that OpenWRT can build. In that case, something like bootm 8a800000 works.”

This makes more sense on how the below lines of commands in http://forums.openpilot.org/blog/52/entry-92-unbrick-wr703n-wifi-router/ works.

hornet> tftpboot 0x81000000 openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin
hornet> erase 0x9f020000 +0x3c0000
hornet> cp.b 0x81000000 0x9f020000 0x3c0000
hornet> bootm 9f020000

Okay I think this is using Das U-boot bootloader. I could try uploading over serial, but man… there is no good kermit or ymodem programs for windows (Haven’t yet transitined to linux yet D: )

http://www.jackslab.org/?portfolio=u-boot-quick-start

Ooooh so there is more commands under Uboot e.g. tftp http://support.atmel.no/knowledgebase/avr32studiohelp/com.atmel.avr32.tool.ngw100/html/u_boot_command_reference.html

Ahhh screw this… I think trying to get this working over tftp under windows is screwed up… I’ll shelve this, until maybe I find a kermit serial modem thing in python or something