AR9341 Router TTL Line Brush Machine

Recently, I have a batch of OEM PoE routers that do not have a USB interface. It is just used to study the TTL flash machine.

Then connect the USB to TTL. Note here that some boards will be incompatible with garbled characters. You can try to change the baud rate. If not, just change a USB to TTL board.

The computer uses SecureCRT, serial port connection, there is no character on the connection, then power on the router, the screen starts to display UBOOT, press any key to interrupt, some press TPL interrupt or ctrl + c interrupt, I first flash breed

These software will be provided below to download, understand the command of FLASH before brushing

2MB FLASH


Flash programmer firmware: tftp 0x80000000 full.bin
erase 0x9f000000 + 0x200000
cp.b 0x80000000 0x9f000000 0x200000 flash
uboot:
tftp 0x80000000 uboot.bin
erase 0x9f000000 + 0x20000
cp.b 0x80000000 0x9f000000 0x20000 flash
fw:
tftp
0x80x9fwfc.
cp.b 0x80000000 0x9f020000 0x1c0000
brush art:
tftp 0x80000000 art.bin
erase 0x9f1f0000 + 0x10000
cp.b 0x80000000 0x9f1f0000 0x10000


4MB FLASH

Flash programmer firmware: tftp 0x80000000 full.bin

erase 0x9f000000 + 0x400000

cp.b 0x80000000 0x9f000000 0x400000 flash

uboot:

tftp 0x80000000 uboot.bin

erase 0x9f000000 + 0x20000

cp.b 0x80000000 0x9f000000 0x20000 flash

fw: tftp 0x80x9 fw0f0f3

cp.b 0x80000000 0x9f020000 0x3c0000

brush art:

tftp 0x80000000 art.bin

erase 0x9f3f0000 + 0x10000

cp.b 0x80000000 0x9f3f0000 0x10000


8MB FLASH

Flash programmer firmware: tftp 0x80000000 full.bin
erase 0x9f000000 + 0x800000
cp.b 0x80000000 0x9f000000 0x800000 flash
uboot:
tftp 0x80000000 uboot.bin
erase 0x9f000000 + 0x20000
cp.b 0x80000000 0x9f000000 0x20000 flash
fw:
tftp
0x80x9 fw.f02
cp.b 0x80000000 0x9f020000 0x7c0000
brush art:
tftp 0x80000000 art.bin
erase 0x9f7f0000 + 0x10000
cp.b 0x80000000 0x9f7f0000 0x10000


16M FLASH: flash address from 0x000000 ~ 0x0FFFFFF
ttl access flash address from 0x9F000000 ~ 0x9F0FFFFFF


The network cable is connected to the router lan port, the computer configuration is set to 192.168.0.2, the mask is 255.255.255.0, and the gateway is 192.168.0.1

Open tftp in my software package, select the network card connected to the router's network cable, it will normally display the IP 192.168.0.2, click "Show Dir" contains a firmware of breed-ar9341.bin, first flash him, execute the following command

setenv ipaddr 192.168.0.1

setenv serverip 192.168.0.2

tftp 0x80000000 breed-ar9341.bin

When done appears, it means that the brushing is successful, and then execute

erase 0x9f000000 + 0x20000

cp.b 0x80000000 0x9f000000 0x20000

When done appears, flashing in is successful. Unplug the router and plug it in again. SecureCRT displays the Breed boot and press any key terminal. At the same time, you can see that the default lan port address is 192.168.1.1

Connect the computer browser to 192.168.1.1, then you can directly use the Breed Web


Enter 192.168.0.1 in the address bar of the browser and select the firmware upgrade. Here you should save the original firmware under backup. You can configure openwrt after the flashing is completed.

Software download address:

https://pan.baidu.com/s/1Z7PkN8ROxpDITdRZHgw3nQ

Extraction code: be5m

Read More

TP-Link WR886N Chinese Third Party Firmware

Here we go after we done moding the FLASH and RAM its time for us to Brush it with the third party firmware. This device WR886N version 3.0 is supported by OpenWrt, SuperWrt, DD-Wrt and Gargoyle Linux opensource firmware. What we need is a USB cheap 25Q FLASH programmer and USB to TTL for the serial console. Next is decide to which boot loader you want to be accustom with.

The first boot loader utility is BREED aka  Boot and Recovery Environment for Embedded Devices is a close source boot loader by hackpascal, its in Simplified Chinese language just use Google translate to let you understand their script. You can download it on Google filename breed-tp9343.bin.

The second boot loader is also a BREED but modified version of the Simplified Chinese language its in English version. Download on the Giant Search engine filename u-boot_tp9343.bin.

The third boot loader is from TP-Link WR940N version 3.0 stock firmware stripped u-boot, filename is u-boot_tp-link_wr940nv3.bin.

The first brushing I did is with the TP-Link stock firmware WR940N version 3.x is also identical to WR941ND version 6.x such SoC. RAM and FLASH. Likewise WR940N version 4.x and 5.x too.

This is TP-Link stock firmware version 4.x if you want to know more about the internal web graphical user interface just visit tp-link.com for the respective wireless router emulator.

Brushing with third party firmware such as OpenWrt is straight forward since you can just upload via web interface if the wireless router is in the TP-Link stock firmware, TFTP is another method on brushing the firmware its usually use for device recovery from bricked devices.

I have more favor on OpenWrt third party firmware because of its plenty packages for the wireless router. Successfully also tested on LEDE both WR940N and WR941ND. On the Chinese forum someone mention that the WR886N ver3.0 can be flashed with TP-Link WR940N version 5.x, ow true is it?

This is TP-Link new web graphical user interface that added some features like Access Point only, Repeater or Range Extender, and WISP unlike the old version this addition function is not supported except for WDS and Wireless router only. The said added features were only exclusive for the TP-Link WA series device not on WR and WDR. The firmware option brushing may depends on the users, what I like on OpenWrt firmware is SoC TP9343 can be fully enhanced to 26dBm or 398mW of power.

If you know other third party Linux firmware that I did not mention let me know I want to brush it with your firmware that you have tried.

Read More

For TP Routing: Modify firmware size, unlock U-boot partitions, add Fullflash partitions

TP-Link TL-WR703N factory default has only 4MB of flash and 32MB RAM, if you want to play with the OP is simply powerless, so I changed the 8M Flash and 64M RAM.

First, modify the firmware size

OpenWrt in the compile time will be based on each model profile to generate the firmware, if the generated firmware integrated too much software and more than 4MB it will be error, you will find that the firmware can not be generated.

Specific symptoms See my last Post start compiling and compiling openwrt.

Compilation passed, but did not find the firmware in ./openwrt/bin/ , turned up the compile output prompt, and found a similar

[mktplinkfw] kernel length aligned to 914864
[mktplinkfw] *** error: images are too big
make[3]: [install] Error 255 (ignored)

Here's how to modify the default firmware size of the TP series router

Actually very simple, find the target/linux/ar71xx/image/Makefile, search for the model you want to modify, such as 703N, find the relevant 703N parameters

Then change the tplink-4mlzma to tplink-8mlzma on the line, and then

define Device/tl-wr703n-v1
    $(Device/tplink-8mlzma)
    BOARDNAME := TL-WR703N
    DEVICE_PROFILE := TLWR703
    TPLINK_HWID := 0x07030101
    CONSOLE := ttyATH0,115200
endef

After you save the exit, you can compile the 8M firmware for tl-wr703n.

Note: Some outdated tutorials on the web say that you also need to modify tools/firmware-utils/src/mktplinkfw.c after I test, the latest source code inside this file is not about 703N and other router parameters, you do not need to modify.


II. Unlocking u-boot Partitions

The horse has the hoof, the person has the slip, does not have to die u-boot how dares the confidence to play the OP? Here we will talk about U-boot, U-boot is the embedded Linux system boot, equivalent to the computer BIOS. The traditional u-boot is only responsible for booting the firmware, once the firmware does not start, then the entire router is brick, there is a TTL is also easy, no one can only on the programmer. But there is not dead u-boot, in fact, with the Web Brush Machine interface U-boot, MA Ma no longer have to worry about my machine into bricks, completely without the demolition machine can save bricks. Want to know their own Google, recommended Enshan hackpascal breed, and brush into U-boot tutorial , I do not discuss how to use u-boot, mainly brush into the u-boot will encounter

could not open mtd device ：u-boot ,can't open device for writing

This is because OpenWrt is locked by default, unless it is unlocked when the firmware is compiled. U-boot

Locate /target/linux/ar71xx/files/drivers/mtd/tplinkpart.c, search for U-boot, find

	parts[0].name = "u-boot";
	parts[0].offset = 0;
	parts[0].size = offset;
        parts[0].mask_flags = MTD_WRITEABLE;

Then remove parts[0].mask_flags = MTD_WRITEABLE; This line will be recompiled.

WARM hint: TP series Brush finished breed must change the MAC address for a valid value, otherwise wireless will hang!

III. Add Fullflash partitions

Now the bricks can be saved, but save back the data are all gone, but also start the configuration, want to think all big ah, the good habit of nurturance is to fall roar! Add Fulllash partitions so that you can back up the entire programmer firmware with the DD command, and there is no such thing as an art loss.
Same as /target/linux/ar71xx/files/drivers/mtd/tplinkpart.c to add the following code

    parts[5].name = "fullflash";
    parts[5].offset = 0;
    parts[5].size = master->size;

As shown in the figure

After recompiling and brushing, you can see the Fullflash partition.

View partitions with cat /proc/mtd

Effect as shown

You can then simply back up the programmer firmware through the dd if=/dev/mtd6 of=/tmp/fullflash.bin !

5aimiku

Read More

Arduino The Simpliest JTAG Adapter

A good while ago I won one of the free PCBs regularly given away by DIY hardware shop Dangerous Prototypes. My board of choice was a CPLD breakout board, for the Xilinx XC9572XL. CPLDs are the smaller brother of FPGAs: "programmable logic" chips that can be made to act as any integrated circuit within the device's limits. The XC9572XL is programmed via a standard JTAG interface. I did not have anything that speaks JTAG so went looking if my Arduino can be turned into an appropriate programmer. The solution that I found, however, did not work; so I built my own.

"Normally", to program a CPLD, or FPGA, one buys an expensive interface cable and uses it with the software development suite supplied by the particular chip's vendor. Of course there are plenty of DIY alternatives; in fact, Dangerous Prototypes sell one or two. One of my goals with this project was, however, to spend next to no money on it. I got the circuit board for free, the parts cost around 3EUR, and I had already done a similar job with my Arduino Atmel programmer.

So after soldering the board I flashed the abovementioned JTAG code onto the Arduino. This was my second time SMD-soldering so I was not expecting the board to work on first try. But even after checking every connection with a multimeter, JTAGWhisperer would do apparently nothing after receiving the first chunk of data. I eventually gave up searching for the cause.

Instead I decided to write a very simple Arduino program that allows direct interaction with the JTAG interface from a serial terminal. It is called jtagbang because it is essentially bit-banging on the JTAG pins. By pure coincidence, it also requires frequent use of the exclamation mark ("bang") when talking to it.

I didn't know anything about JTAG until three days ago. Now I know that it is awesome. The point of JTAG is to connect to any number of chips in some circuit design, taking up next to no space on the board, requiring only very simple support from the chip, and allowing the user to inspect and manipulate virtually every pin and connection at any time without touching anything. I call it f*cking magic.

These LEDs are lit because I told the chip I needed those outputs on for testing purposes.

Unfortunately I cannot explain the magic in the space of this post, however, here is a link to the IEEE specification. While IEEE doesn't want you to read their standards, someone has helpfully put the 2001 version on slideshare… Reading that spec is still not much fun, but I made a drawing of the important part.

So, long story short: Upload the attached sketch to an Arduino, take a peek at the top of the file maybe, and connect to it with a terminal emulator (read minicom) or the Arduino IDE's serial monitor (set to line-ending "Newline"). Enter a capital X and it will interrogate the JTAG interface to find all the connected devices (chips). It lists their built-in identification codes which take the form of 32 bits in four groups:

59604093 [0101 1001011000000100 00001001001 1]

The groups are, from most to least significant bit: 4-bit product version (5), 16-bit product code (9604 is the XC9572XL), 11-bit manufacturer code (00001001001 is Xilinx), and one bit that is always 1 for thaumaturgic reasons.

I should find a PC mainboard to try this with.

Next, I need to get the CPLD programmed. Xilinx uses (X)SVF files for this, a file format that describes what to do on a JTAG interface in a more high-level fashion than my bit-banging. I need a "player" for this format that translates standard SVF commands into "bang language" and vice-versa. The good thing is that I can now do this in a high-level programming language of my choice entirely on the host instead of cramming it into the Arduino.

The adventure after that will be learning VHDL and designing an actual integrated circuit.

Attachment: jtagbang.ino (v0.1)

I am releasing the code under the terms of the quite permissive ISC license.

Read More

Arduino as a simple JTAG adapter

After building up a Xilinx XC9572XL breakout board from Dangerous Prototypes, Karl Hans Janke needed a JTAG interface (a device to access on-chip debug modules and for other purposes). Instead of forking out for the commercial product, Karl instead device his own version using an Arduino - for next to no cost at all. His Arduino sketch allows direct interaction with the JTAG interface from a serial terminal.

Karl continues with more about the concept of debugging and the JTAG specification, as well as hosting the required sketch for download on his website. And for more, we're on twitter and Google+, so follow us for news and product updates as well.

pesco blogged about his free XC95144XL CPLD breakout board PCB build:

A good while ago I won one of the free PCBs regularly given away by DIY hardware shop Dangerous Prototypes. My board of choice was a CPLD breakout board, for the Xilinx XC9572XL. CPLDs are the smaller brother of FPGAs: programmable logic chips that can be made to act as any integrated circuit within the device’s limits. The XC9572XL is programmed via a standard JTAG interface. I did not have anything that speaks JTAG so went looking if my Arduino can be turned into an appropriate programmer. The solution that I found, however, did not work; so I built my own.

If you're new to Arduino and want to join the fun, the first step is a solid board for your projects - our Freetronics Eleven - the Arduino-Uno compatible with low-profile USB socket, onboard prototyping space and easy to view LEDs:

Read More

EN25T80 Programmer USB Series SPI FLASH BIOS 24CXX25XX STC AVR Support TTL

EN25T80 Programmer USB Series SPI FLASH BIOS 24CXX25XX STC AVR Support TTL

Download software and driver here.

Descriptions

Features:

• Using a dedicated 3.3V voltage regulator IC, BIOS chips can be better protected.
• With 500mA resettable fuse to protect your computer USB port safety.
• System Support: Winodws XP, Windows VISTA, Windows 7.
• Size:4.5CM ╳ 3.6CM easy to carry
• Comes with a patch BIOS chip programming installation bit, the BIOS chip programmer SOP package more convenient.

Support Chips:

AMIC： A25L05P，A25L10P，A25L20P，A25L40P，A25L80P，A25L16P ATMEL： AT25DF041A，AT25DF321，AT25F004，AT25F512A，AT25F2048，AT25F4096， AT25F1024A，AT25FS010，AT25FS040，AT26DF081A，AT26DF161A， AT26DF321，AT26F004 EON： EN25B05，EN25P05，EN25B10，EN25P10，EN25BF20，EN25P20， EN25F20，EN25B40，EN25P40，EN25F40，EN25B80，·EN25P80， EN25F80， EN25T80，EN25B16，EN25P16，EN25B32，EN25P32， EN25B64，EN25P64 Excel Semiconductor Inc. ES25P10，ES25P20，ES25P40，ES25P80，ES25P16，ES25P32 ST： M25P05A，M25P10A，M25P20，M25P40，M25P80，M25P16， M25P32，M25P64，M25PE10，M25PE20，M25PE40，M25PE80， M25PE16，M25PE32，M45PE10，M45PE20，M45PE40，M45PE80， M45PE16，M45PE32 MXIC： MX25L512，MX25L1005，MX25L2005，MX25L4005，MX25L8005，MX25L1605， MX25L3205，MX25L6405 NexFlash： NX25P80，NX25P16，NX25P32 Chingis Technology Corporation Pm25LV512，Pm25LV010，Pm25LV020，Pm25LV040，Pm25LV080，Pm25LV016， Pm25LV032，Pm25LV064 Saifun Semiconductors SA25F005，SA25F010，SA25F020，SA25F040，SA25F080，SA25F160，SA25F320， Silicon Storage Technology SST SST25VF512A，SST25LF010A，SST25VF010A，SST25LF020A，SST25VF020， SST25LF040A，SST25VF040B，SST25LF080A，SST25VF080B，SST25VF016B，SST25VF032B WINBOND W25P10，W25X10，W25Q10，W25P20，W25X20，W25Q20，W25P40，W25X40， W25Q40，W25P80，W25X80，W25Q80，W25P16，W25X16 24CXX 24LCXX 24C01, 24C02, 24C04, 24C08, 24C16, 24C32, 24C64, 24C128, 24C256, 24C512, 24C1024. 24LC01, 24LC02, 24LC04, 24LC08, 24LC16, 24LC32, 24LC64, 24LC128, 24LC256, 24LC512, 24LC1024 AVR ATMEGA8 ATMEGA16 ATMEGA32 ATMEGA64 ATMEGA128 ATMEGA8515 ATMEGA8535ATMEGA48ATMEGA88 ATMEGA168 AT89S51 AT89S52 STC series chip 3.3V and 5V STC89C51RC, STC89C52RC, STC89C53RC, STC89C54RD +, STC89C55RD +, STC89C58RD +, STC89C510RD +, STC89C512RD +, STC89C513RD +, STC89C514RD +, STC89C516RD +, STC89C58RD, STC89C561RD STC12C1052, STC12C2052, STC12C3052, STC12C4052, STC12C5052, STC12C1052AD, STC12C2052AD, STC12C3052AD, STC12C4052AD, STC12C5052AD STC11F01, STC11F02, STC11F03, STC11F04, STC11F05, STC11F01E, STC11F02E, STC11F03E, STC11F04E, STC11F05E STC10F02, STC10F04, STC10F06, STC10F08, STC10F010, STC10F012 STC12C5A60S2 Series STC12C5608AD Series

Read More