Unbrick mr3220v2: Difference between revisions
Created page with "I managed to brick my latest tp-link mr3220v2 beyond the rescue point. This version of router as its older brothers have a serial header connector (unpopulated). This is mar..." |
No edit summary |
||
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
I managed to brick my latest tp-link mr3220v2 beyond the rescue point. | I managed to brick my latest tp-link mr3220v2 beyond the rescue point. | ||
[[File:Mr3220v2-bricked.png|300px]] | |||
This version of router as its older brothers have a serial header connector (unpopulated). | This version of router as its older brothers have a serial header connector (unpopulated). | ||
This is marked as "unfriendly" on openwrt site. | This is marked as "unfriendly" on [http://wiki.openwrt.org/toh/tp-link/tl-ap121#info openwrt site]. | ||
What "unfriendly" means here is the header is not routed on the board, they're just open connections, and you have to patch them to correct pads to gain serial output. Unfortunately this wasn't enough to gain access to the router. | What "unfriendly" means here is the header is not routed on the board, they're just open connections, and you have to patch them to correct pads to gain serial output. Unfortunately this wasn't enough to gain access to the router. | ||
[[File:Mr3220pads.jpg|350px]] | |||
[[File:Serialheader.jpg|350px]] | |||
While I was able to read the output generated by the router, I wasn't able to type anything in, it seems RX still isn't routed to the header. | While I was able to read the output generated by the router, I wasn't able to type anything in, it seems RX still isn't routed to the header. | ||
So the only option was to flash the chip directly. Which mean desoldering the chip first and put it in a programmer. | So the only option was to flash the chip directly. Which mean desoldering the chip first and put it in a programmer. | ||
This is the first router with this kind of chip, datasheet here: en25q32 datasheet. | |||
This is the first router with this kind of chip, datasheet here: [http://gnome.eu.org/images/4/4f/En25q32.pdf en25q32 datasheet]. | |||
Looking at the above screenshot seems the bootloader works fine, it seems kernel got corrupted somewhere in the middle. | Looking at the above screenshot seems the bootloader works fine, it seems kernel got corrupted somewhere in the middle. | ||
The next step was to desolder the flash chip and to put it in a programmer and try to read it at least to see what is going on there. | The next step was to desolder the flash chip and to put it in a programmer and try to read it at least to see what is going on there. | ||
My initial thought was to use adrduino to read it - it was fairly simpleto read 24XX chips in the past with arduino but I wasn't sure how easy is to read this kind of chip. Then I remember of flashrom project that is able to read several types of flash and knows quite a few programmers and Arduino was among them. The problem was that support for arduino mega was barely working and I didn't have an UNO on me - so to say. But among other programmers there was Raspberry PI supported using linux SPI interface so nothing easier than that. | |||
My initial thought was to use adrduino to read it - it was fairly simpleto read 24XX chips in the past with arduino but I wasn't sure how easy is to read this kind of chip. Then I remember of [http://flashrom.org/ flashrom project] that is able to read several types of flash and knows quite a few programmers and Arduino was among them. The problem was that support for arduino mega was barely working and I didn't have an UNO on me - so to say. But among other programmers there was [http://www.flashrom.org/RaspberryPi Raspberry PI] supported using linux SPI interface so nothing easier than that. | |||
I hooked the chip to my RPI: | I hooked the chip to my RPI: | ||
[[File:Rpiflash.jpg|350px]] | |||
and read the flash: | and read the flash: | ||
# flashrom -r mr3220-flash.bin -V -p linux_spi:dev=/dev/spidev0.0 | # flashrom -r mr3220-flash.bin -V -p linux_spi:dev=/dev/spidev0.0 | ||
looking at the resulting file it seems my kernel partition got half way written - I was trying to reflash my openwrt firmware via well know methods and it seems somehow I've reset box too early. Anyway I wasn't sure what to write where, but I managed to find the flash partition structure on openwrt site: | looking at the resulting file it seems my kernel partition got half way written - I was trying to reflash my openwrt firmware via well know methods and it seems somehow I've reset box too early. Anyway I wasn't sure what to write where, but I managed to find the flash partition structure on openwrt site: | ||
00000000:00020000 boot | 00000000:00020000 boot | ||
00020000:00120000 kernel | 00020000:00120000 kernel | ||
00120000:003e0000 rootfs | 00120000:003e0000 rootfs | ||
003e0000:003f0000 config | 003e0000:003f0000 config | ||
003f0000:00400000 art | 003f0000:00400000 art | ||
and I was able to find an mr3020-mtd-zip mtd image file from a previous version (mr3020) of this router. Quickly comparing the flash image with this file they seem similar. So now it was a matter of copying the correct partition files over the read flash file and finally upload it back. | and I was able to find an mr3020-mtd-zip mtd image file from a previous version (mr3020) of this router. Quickly comparing the flash image with this file they seem similar. So now it was a matter of copying the correct partition files over the read flash file and finally upload it back. | ||
[[File:Mr3220sock.jpg|350px]] | |||
In order to be able to flash image with flashrom the image needs to be exactly the same size as en25q32 which is 4194304 (4.0M). | |||
Now, openwrt images we can get from openwrt site (or the original firmware) contain only the kernel,rootfs and perhaps config partition. | Now, openwrt images we can get from openwrt site (or the original firmware) contain only the kernel,rootfs and perhaps config partition. | ||
In order to be able to write the image we still need boot(containing u-boot) and art partitions. | In order to be able to write the image we still need boot(containing u-boot) and art partitions. | ||
What is and why we need boot partition is self explanatory. | What is and why we need boot partition is self explanatory. | ||
art partition (Athereos Radio Test) contains calibration data for the wireless interface, without it router won't be able to initialize and bring wireless interface up. | art partition (Athereos Radio Test) contains calibration data for the wireless interface, without it router won't be able to initialize and bring wireless interface up. | ||
I was able to retrieve original boot partition, however it can easily be rebuild compiling u-boot from source. | I was able to retrieve original boot partition, however it can easily be rebuild compiling u-boot from source. | ||
Also I managed to recover the original art partition. Initially I was convinced this data is model specific, containing MAC address and other specific data, but in the end this wasn't true. | Also I managed to recover the original art partition. Initially I was convinced this data is model specific, containing MAC address and other specific data, but in the end this wasn't true. | ||
I grabbed the art file from mr3020 zip and compared with the one I retrieved and there are no differences. | I grabbed the art file from mr3020 zip and compared with the one I retrieved and there are no differences. |
Latest revision as of 21:57, 3 October 2021
I managed to brick my latest tp-link mr3220v2 beyond the rescue point.
This version of router as its older brothers have a serial header connector (unpopulated).
This is marked as "unfriendly" on openwrt site.
What "unfriendly" means here is the header is not routed on the board, they're just open connections, and you have to patch them to correct pads to gain serial output. Unfortunately this wasn't enough to gain access to the router.
While I was able to read the output generated by the router, I wasn't able to type anything in, it seems RX still isn't routed to the header.
So the only option was to flash the chip directly. Which mean desoldering the chip first and put it in a programmer.
This is the first router with this kind of chip, datasheet here: en25q32 datasheet.
Looking at the above screenshot seems the bootloader works fine, it seems kernel got corrupted somewhere in the middle.
The next step was to desolder the flash chip and to put it in a programmer and try to read it at least to see what is going on there.
My initial thought was to use adrduino to read it - it was fairly simpleto read 24XX chips in the past with arduino but I wasn't sure how easy is to read this kind of chip. Then I remember of flashrom project that is able to read several types of flash and knows quite a few programmers and Arduino was among them. The problem was that support for arduino mega was barely working and I didn't have an UNO on me - so to say. But among other programmers there was Raspberry PI supported using linux SPI interface so nothing easier than that.
I hooked the chip to my RPI:
and read the flash:
- flashrom -r mr3220-flash.bin -V -p linux_spi:dev=/dev/spidev0.0
looking at the resulting file it seems my kernel partition got half way written - I was trying to reflash my openwrt firmware via well know methods and it seems somehow I've reset box too early. Anyway I wasn't sure what to write where, but I managed to find the flash partition structure on openwrt site:
00000000:00020000 boot
00020000:00120000 kernel
00120000:003e0000 rootfs
003e0000:003f0000 config
003f0000:00400000 art
and I was able to find an mr3020-mtd-zip mtd image file from a previous version (mr3020) of this router. Quickly comparing the flash image with this file they seem similar. So now it was a matter of copying the correct partition files over the read flash file and finally upload it back.
In order to be able to flash image with flashrom the image needs to be exactly the same size as en25q32 which is 4194304 (4.0M).
Now, openwrt images we can get from openwrt site (or the original firmware) contain only the kernel,rootfs and perhaps config partition.
In order to be able to write the image we still need boot(containing u-boot) and art partitions.
What is and why we need boot partition is self explanatory.
art partition (Athereos Radio Test) contains calibration data for the wireless interface, without it router won't be able to initialize and bring wireless interface up.
I was able to retrieve original boot partition, however it can easily be rebuild compiling u-boot from source.
Also I managed to recover the original art partition. Initially I was convinced this data is model specific, containing MAC address and other specific data, but in the end this wasn't true.
I grabbed the art file from mr3020 zip and compared with the one I retrieved and there are no differences.