Tftp secret of TL-WR740N uncovered

I've found out that even this particular entry level router supports anti-bricking, so there's no need for soldering, unless of course you are modding. The method I used is the following:
  1. Set up a tftp server on your PC and verify if it works correctly (configuration, permissions, firewalls, etc.)
  2. Rename your target firmware to wr740v4_tp_recovery.bin and copy it to your base folder (by default /tftpboot). I tested with openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin r43602.
  3. Set up the following static IP for your PC: 192.168.0.66/255.255.255.0. If you're not sure about the firmware name on a different model, start a packet sniffer on your PC (tcpdump -i eth0 -n -l) and look for the name in the RRQ message.
  4. Preferably disconnect WAN from the router
  5. Connect the PC to a LAN port
  6. Power off the router
  7. Press and hold the reset button
  8. Power on the router
  9. After the leftmost (power) LED and the rightmost (padlock) LED turn on alone in a few seconds, release the reset button
  10. The router will now identify as 192.168.0.86, finish upgrading using its built-in tftp client and reboot in less than half a minute. In case of failure, it retries multiple times and gives up in about 5-10 seconds to resume normal booting. No configuration is erased, so it's safe to experiment. OpenWRT will need to finish initialization on first/second startup if that's what you are installing
I was preparing to replace the factory default U-Boot with an alternative that supports recovery measures to save you from bricking: web failsafe or pepe2k mod. This is a must have if you are experimenting with OpenWRT/DD-WRT a lot and don't want to solder serial port or JTAG on your board. I found this out after trial and error and fiddling a bit with tcpdump. By the way, in my opinion, tftp is a much cleaner solution for mass router flashing compared to scripting the web interface.

For future reference, I share some information for identification below.

On the box it says ver: 4.27.

On the updated version of the stock firmware the web interface said:
Firmware Version:
3.17.0 Build 140520 Rel.75075n
Hardware Version:
WR740N v4 00000000

Some lines from dmesg:
Linux version 3.14.26 (openwrt@gb-17) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43602) ) #1 Thu Dec 11 07:13:50 UTC 2014
CPU0 revision is: 00019374 (MIPS 24Kc)
SoC: Atheros AR9330 rev 1
Kernel command line:  board=TL-WR741ND-v4 console=ttyATH0,115200 rootfstype=squash
fs,jffs2 noinitrd
Memory: 28456K/32768K available (2517K kernel code, 122K rwdata, 516K rodata, 228K init, 191K bss, 4312K reserved)
Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
MIPS: machine is TP-LINK TL-WR741ND v4
m25p80 spi0.0: found s25sl032p, expected m25p80
m25p80 spi0.0: s25sl032p (4096 Kbytes)
eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
eth0: link up (1000Mbps/Full duplex)

I have found a report in the dd-wrt forum from the user 'kar200' about similar findings.

I wouldn't be surprised if this finding would generalize to the similar chipsets including tl-wr703n ("If the button is pushed immediately after powering on, the single blue LED will start blinking, supposedly indicating some failsafe firmware recovery mody [sic] of the embedded bootloader (not yet discovered how to use it)"),  WR741ND, WR841ND, MR3020, etc.

Please leave a comment (and/or update the respective wiki page) if you succeed in reproducing this hidden recovery mode in any other version or model.

edit: many more router models confirmed to have the same recovery (fixed link)
edit #2: here's a video to show you the process

Comments

  1. Thanks for this tip!
    Works on v4.23 after upgrading firmware to 3.17.0 Build 140520 Rel.75075n (wr740nv4_en_3_17_0_up_boot(140520).bin) As binary filename suggests it updates bootloader too, so this should work with any v4.

    ReplyDelete
  2. Great, glad to hear that! Did it work with the built-in firmware before upgrading? Do you happen to know the version number of the previous one?

    ReplyDelete
  3. The firmware from before was v 3.16.5 but I'm not sure what build, and the procedure did not work - the router just reset itself to factory defaults.

    ReplyDelete
  4. Good to know. I've noted it down in the other table. I'm testing a few more revisions myself to further bisect the date interval. I'll update both posts in a few days with further results. I hope you enjoy your new Linux powerhorse without the tears!

    ReplyDelete
  5. Hi! I have a TL - WR740n Ver 4.28, I tried the steps above but unfortunately its doesnt seem to work on my router. Any other remedy? help please! :( or I might be doing everything wrong. do you have like screenshots please?

    ReplyDelete
    Replies
    1. I have V4.28, I used solar winds Tftp server (windows) and did same steps. At first it didn't work out. I tried pressing reset button and holding it till Tftp sever detected router automatically and flashed factory firmware ! :)
      (Note that worked for me : Don't release the reset button After the leftmost (power) LED and the rightmost (padlock) LED turn on alone)

      For V4.28 , I followed this guide and installed openwrt attitude adjustment without any errors :

      https://phobosk.wordpress.com/2012/10/21/how-to-turn-your-tp-link-tl-wrt740n-router-into-a-fully-functional-one-using-openwrt/

      Delete
    2. Hey, nice to hear from you. Have fun with your new embedded platform! Also note that since that guide has been written, newer versions of OpenWrt had become available. Check out whether 14.04 Barrier Breaker and 15.05 Chaos Calmer RC* would offer something for you. Specifically, Chaos Calmer should enable you to use all 13 channels if you live in that part of the world.

      Delete
    3. I tried Chaos Calmer first,seems it bricked my router. so I restored factory firmware using your tutorial, and tried attitude adjustment. Now, I will try Barrier Breaker and inform you.

      Delete
    4. Very interesting. Actually I'm using Barrier Breaker on all of my routers. I've only tested Chaos Calmer on two specimens of TL-WR841N v9. I planned to wait for the final release before upgrading my whole fleet.

      It looks like they could use some testing, so maybe I'll reconsider and install it on one of each kind of device I have and report back. If reproducible, It would be nice to let them know via the dev mailing list with a serial log attached, if available.

      Interestingly, flashing even stock firmware on TL-WR741ND v4 from the web GUI carries a high risk of bricking. Although, u-boot is usually successfully updated. I had very good luck with TL-WR740N.

      Delete
    5. You saved so many TL-WR740N routers..Thank you :)

      Delete
    6. Upgraded to Barrier Breaker . Thanks for suggestion.

      Delete
    7. Nice to hear about your success and that you're in for some more fun. You gave me an idea. We should put a banner at the respective router's OpenWrt and dd-wrt wiki page telling you to upgrade your OEM firmware before proceeding with *wrt installation in case it also updates your u-boot to a safe one.

      Delete
    8. Hi Bro, upgraded from Barrier Breaker to Chaos Calmer using (openwrt-15.05-ar71xx-generic-tl-wr740n-v4-squashfs-sysupgrade.bin file ) New stable release :) on V 4.28.

      Delete
    9. Excellent! I myself have upgraded the very similar TL-WR741ND v4 to Chaos Calmer and it seems to work alright. Please do post back if you find any issue.

      Delete
    10. No issues so far :)

      Delete
  6. Hello Bryan! It seems that not all devices are up to date as shipped from the factory. It may also depend on the date of manufacture. Current testing shows that firmware from 2013-03-29 or older does not feature this option, while version 2013-05-29 and later does. If you haven't upgraded before experimenting, you must now follow the standard recovery path. If OpenWRT or dd-wrt was installed, try to trigger failsafe mode. Otherwise, you need to unscrew the device, find the serial port and purchase an inexpensive low voltage serial-USB adapter. http://wiki.openwrt.org/doc/howto/generic.debrick

    By the way, I did encounter a device with a broken reset button once. Is yours doing anything at all?

    ReplyDelete
  7. Hi
    I had a tp-link wr740n v4.23 and I installed dd-wrt on it. unfortunately dd-wrt wasn't able to detect my automatic(dynamic) ip address, so I tried to revert back to tp-link's original firmware but dd-wrt didn't allow me so. I mistakenly used the command mtd -erase linux and my router bricked and after that all of the router's leds blink simultaneously.
    I followed the above steps and tftpd32 showed transferring wr740v4_tp_recovery.bin but actually nothing happens and again after the transfer all of leds blink simultanously. Is there anything I can do? Should I try the serial console?

    ReplyDelete
    Replies
    1. Try solar winds tftp server and don't release reset button till firmware flashed automatically.

      Delete
  8. Hello Mr. Anonymous. It's a good sign that tftpd32 shows a transfer request. The transfer takes a few seconds, the flashing itself takes a few more seconds, and your device should be rebooted automatically afterwards (all LEDs light up) what you are seeing currently. Could you possibly monitor if the transfer succeeded in practice? The loader does retries a few times and should resume booting after a failed attempt, however your bricked firmware could also be causing a reboot. For example, on Ubuntu you need to double check file permissions and of course you need to copy and rename the OEM firmware to the correct place. Also note that as per the above instructions, you will need an OEM firmware which lacks the u-boot, because u-boot wisely skips overwriting itself. So you need to type in something like the following on Linux, not sure how you are supposed to strip the first 257*512 bytes of a file under Windows. The same restriction applies under the serial console.
    dd if=downloaded_oem_whatever.bin of=wr740v4_tp_recovery.bin skip=257 bs=512
    Good luck!

    ReplyDelete
  9. n.b. if you are using an openwrt image file as described in the original steps, it already lacks a boot part, so no further tweaks should be needed with dd. Do note, however that if you are installing the above mentioned or any snapshot version instead of a stable release like Barrier Breaker, you will not get any web interface. You will need to telnet to log in. This is for experts only, so stick with Barrier Breaker or a stripped OEM firmware.

    ReplyDelete
  10. Thanks Mr bkil,
    I tried all images and even an stripped OEM firmware and had no success. tftpd32 shows a transfer but after the transfer router's leds all light on and off periodically. I wasn't able to use serial mode (I don't know what was wrong). Strangely two times of this many failed attempts when I used "factory to dd-wrt.bin" the router behaved differently, after the transfer only the power led was on but many times I was unable to repeat this scenario. As I said this was the steps that bricked my wr740n v4.23 router
    1. flashed factory to dd-wrt.bin
    2. upgraded dd-wrt webflash
    after many failed attempts to revert to tp-link's original firmware:
    3. I used mtd erase linux command and the router bricked

    ReplyDelete
    Replies
    1. Hello!

      Thank you for the further information. I do have many ideas to try out. However, your specific issue is a bit off-topic and getting a bit too long winded.

      Please open a new thread at the Atheros dd-wrt forum section, for example. Then post back a link here, so I and others can list a few more things to try out over there.

      Regards!

      Delete
    2. I had same problem with V4.28. "tftpd32 shows a transfer but after the transfer router's leds all light on and off periodically."
      for this issue,
      1. use solar winds tftp server
      2. press and don't release the reset button till tftp server detects router as 192.168.0.86 and flashes firmware placed in C:\TFTP-Root automatically..

      Delete
  11. Hi, I've bricked this router with same version during uploading stock firmware from openwrt. The leds lights on all for a while of seconds and then it reboot. I've tried to use tftp for re-upload new fw, the tftp app say that the file is successfully transfered but the router stack again in boot loop. How can resolve?

    ReplyDelete
    Replies
    1. Please open a new thread at the OpenWRT forum titled something along the lines of "bricked 740N when returning to stock from OpenWrt". We can assist you there:
      https://forum.openwrt.org/viewforum.php?id=10

      When creating the first post of the thread, please do answer the following questions.
      1) I will need detailed information on the exact image you try to tftp, including source URL, size and MD5/sha1 hash and the method how you've removed the boot part with.
      2) Specify the exact model and version number as written on the sticker at the bottom.
      3) If you temporarily rename your file at the tftp server, but otherwise follow the above instructions, your rightmost (QSS) LED should stay on for about 10 seconds and your tftp server should log multiple failed attempts to get the file. If the correct file is present, only a single get should be present in the log.
      4) You may verify whether the file has been transferred by starting Wireshark and inspecting lots of ~500 byte UDP packets (the sum transferred should be about the file size, ~4MB). The transfer usually takes only 1 or 2 seconds.
      5) After the transfer, all LEDS on the router should stay calm for about 5-10 seconds. In this phase, the device is writing the image from RAM. You should see a short full strobe indicating a reset, then the normal boot sequence should continue. OpenWrt needs another half a minute to initialize, I guess the factory one will also take its time.
      6) What was the exact sequence of OpenWrt commands with which you tried to revert to stock? What was the exact image file you used for that attempt?
      7) What was the last known working stock firmware you have installed? I'm asking because of the u-boot version.

      Delete
    2. The version is 4.27. I've tried to flash latest tplink stock firmware with the below command:
      mtd -r write /tmp/original_firmware.bin firmware
      I don't know what's the last stock version that I running on

      Delete
    3. I'm still waiting for the thread and further answers. However, I have a feeling that you left in the boot part in original_firmware.bin. If you have no easy way to cut of the first 257*512 bytes, I have a bit involved workaround for you.
      1) back up the OEM image you are trying to recover to, or download it again later on:
      http://www.tp-link.com/en/support/download/?model=TL-WR740N&version=V4#tbl_j
      2) Downloading and renaming the following image and use it for tftp recovery:
      http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin
      3) OpenWrt should boot in a minute and you can telnet in again.
      4) Upload the OEM image to the router: /tmp/original_firmware0.bin
      5) strip off the header and u-boot:
      ls -l /tmp/*.bin
      dd if=/tmp/original_firmware0.bin bs=512 skip=257 of=/tmp/original_firmware.bin
      rm /tmp/original_firmware0.bin
      6) ensure correct size of 3932160 Bytes:
      ls -l /tmp/*.bin
      7) then try to flash this:
      mtd -r write /tmp/original_firmware.bin firmware

      Delete
    4. Still nothing..below there is the log
      Connection received from 192.168.0.86 on port 1160 [28/02 12:07:04.436]
      Read request for file . Mode octet [28/02 12:07:04.443]
      OACK: [28/02 12:07:04.444]
      Using local port 57260 [28/02 12:07:04.444]
      : sent 7681 blks, 3932160 bytes in 3 s. 0 blk resent [28/02 12:07:07.957]

      Delete
    5. That's very good, the device completes the full tftp transfer. It looks like you've chosen to stay anonymous instead of registering in the forum. :)

      Two questions remain. Are you sure your device is called TL-WR740N? The second is to please clarify what image file is it you are trying to flash this time. I need a download link, conversion instructions and md5 or sha1 hash of the file: https://support.microsoft.com/kb/841290

      Delete
    6. I've already registered in the forum but i forgot my password and the associated email :D
      Anyway I'm trying to flash this image
      http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin
      How can I procede with uart mode?

      Delete
    7. If you are using a new e-mail address, you're always free to reregister ;-)

      You did not confirm that the label on the bottom of your device states TL-WR740N. Note that multiple models have been produced with revisions of 4.27. Just to exclude the obvious...

      The file I used successfully and repeatedly for dozens of routers has the following MD5 hash. Note that network transfers might mess it up. Just as another sanity check.
      1aacb7c7c85835e114b2609c7cd9b5db openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin

      As a last question, are you 100% that the last OpenWrt flash did not repair the device? There are no bells and whistles - it just starts working in a minute and accessible via telnet at 192.168.1.1 and later on via http.

      Your answers are a bit sparse and it's difficult to untangle the exact situation. It would be helpful if you could describe every physical action you make and every feedback you receive with LEDs or otherwise, including seconds-accurate timing. Actually it would be easiest for you to record a short video of the procedure and upload it to somewhere (Youtube, etc.).

      Anyway, the versions of u-boot I've tried until now either worked fine for recovery, or didn't do anything at all, i.e., simply resumed booting instead of entering tftp mode. I did encounter a 842ND that refused to accept OpenWrt images over tftp, however it did accept OEM (non-boot) images. if you are sure that your u-boot has a working tftp server, it would be easiest to put a little more effort into sorting out the issue before messing with hardware. In this case, serial will not directly enable you to recover in any smarter way, but it will give you a console log for starters. Fortunately, read-only access means connecting GND&TX should be enough, but a 3.3V USB serial is needed. http://wiki.openwrt.org/toh/tp-link/tl-wr740n#uart_on_v423

      Anyway, unbricking and debugging with serial UART is lots of fun: http://bkil.blogspot.com/2015/02/841n-serial-unbricking-with-needles.html

      Delete
  12. Solved via serial. Thanks

    ReplyDelete
    Replies
    1. Good to hear that. Did you perhaps save serial logs? I wonder what the u-boot version (date) was and whether there were any errors detected. Did you solder the wires as per the wiki? Did you upgrade to the newest firmware&u-boot via the web interface to enjoy free recovery in the future?

      Delete
  13. This comment has been removed by the author.

    ReplyDelete
  14. Hi bkil I have bricked my wr740n v 4.21 by upgrading to openwrt with out doing a factory reset before
    So i cannot acces it
    I use mac and have downloaded a tftp program but cant seem to connect to router
    in tftp program window there is address and i take it i write there 192.168.0.86 then a window says password
    Do i have to write anything in it????\
    In my lan network I setup manual address to 192.168.0.66 then 255.255.255.0 and there is a window which says router address do I have to write anything there???
    Thanks

    ReplyDelete
    Replies
    1. Please give a link to the thread you have created on the OpenWRT forum so I can help you. https://forum.openwrt.org/viewforum.php?id=10

      Delete
    2. what do you mean ???
      I am not registered on the forum….

      Delete
    3. https://forum.openwrt.org/viewtopic.php?id=56474
      I open a topic on the forum

      Delete
  15. Hi bkil. I ve bicked my tl-wr740N i was trying to downgrade firmware from openwrt to factory one. However I've just uploaded it via interface of openwrt. After whole operation my router is blinking like that https://www.youtube.com/watch?v=q-wQgNKF3Vw . Is ter any posibility of fixing it?

    ReplyDelete
    Replies
    1. Please open a new thread at tho OpenWrt forum and we'll try to help. That OpenWrt upgrade dialog should not modify your boot loader partition, so a serial recovery is easily feasible if you open the case. Did you try the recovery steps outlined above, i.e. holding down the reset button to see if QSS lights up?

      Delete
  16. oh I tryed find RRQ message using tcpdump as described, but I cant find the string

    ReplyDelete
  17. I folowed all procedures here decribed but not works, my router data are: tp-link TL-WR740N, Version 4.23 in box, I cant upload original firmware upgraded because I try to fix web browser just show theree frames in blank, waiting a lot of time just right frame shows leters but no menu showed.

    I used tcpdump too to try with firmware number or name but not showed too, any help will be really appreciated, thanks for watching

    ReplyDelete
    Replies
    1. Send over the produced file if you think see the WPS LED is coming up:
      tcpdump -w wr740-reset-1.pcap
      Otherwise it probably doesn't work. I think I add some parameters to tcpdump to get the string, maybe it was:
      tcpdump -l -vvv -A

      Delete
    2. You are in luck! I have just recently acquired a TL-WR740N v4.23 which I have not burnt through yet. This one has a very old firmware preinstalled: 3.12.11 Build 120320 Rel.51047n. Perhaps you could try to navigate via direct URL? http://192.168.0.1/userRpm/SoftwareUpgradeRpm.htm
      It would be useful to try to inspect network activity via curl or the network log of the developer's toolbar in your browser.

      Delete
  18. its me again, loog the video from failing please: https://www.youtube.com/watch?v=ruNR_99nOYw&feature=youtu.be

    ReplyDelete
    Replies
    1. Could you perhaps upload a video about what happens when you keep pressing reset, starting before power up?

      Delete
  19. This comment has been removed by the author.

    ReplyDelete
  20. I have V4.28 hardware version .

    On the box it says ver: 4.28.

    On the updated version of the stock firmware the web interface said:

    Firmware Version:
    3.17.0 Build 140520 Rel.75075n
    Hardware Version:
    WR740N v4 00000000

    So, check the box for hardware version not web interface .

    ReplyDelete
  21. i was upgrading my stock firmware & faced a powercut. now my router bricked and i can't put it into failsafe / reset mode(step 9 not working for me from your tutorial).
    what else can done here?
    wr740n v4.23

    ReplyDelete
    Replies
    1. As mentioned above, it's a good idea to open a thread at http://forum.openwrt.org/

      What is the URL, name and md5sum of the file you have flashed? First you must be sure that it is indeed dead. Does a packet analyzer show any activity on any of the LAN or WAN ports after power up with or without pressing reset? Try to repeat a few times. What was the build number or date of the former version, did it support TFTP by reset?

      Considering the price of such a device and your willingness to learn, it's advisable to simply resell or recycle the device on an auction for a few bucks and get another one (the adapter could be sold separately for a few more bucks). You can have a working one for $10 if you are lucky.

      Anyway, if you are desperate, you need to follow the linked recovery procedure of purchasing a cheap USB-to-TTL converter, solder the needed wires and check up whether u-boot responds on the serial port. I haven't timed it precisely, but updating usually goes like: 1-2 seconds to transfer the update to RAM, 1-2 seconds to erase the flash, about 10 seconds to write the flash linearly, starting with u-boot I guess and then reboot. So the exact time window of producing a complete brick is about 2-3 seconds. If u-boot is dead as well, you will need to purchase a USB or parallel port SPI flasher which isn't that expensive either, desolder the small ROM, flash it externally, and the resolder it. Some put in a socket at the same time to aid in later experimentation. I'm not sure whether JTAG is realistically doable on this model.

      On a different kind of router, I have once encountered both a bad port and another time a bad LED which was unresponsive, nevertheless all worked as expected.

      Do note that I have bricked two specimens of TL-WR741ND in the process of OEM upgrading even when following all instructions. One of them went past u-boot so I could finish by tftp, while the other one is still dead and awaiting serial recovery.

      https://wiki.openwrt.org/toh/tp-link/tl-wr740n#debricking
      https://wiki.openwrt.org/doc/howto/generic.debrick

      Good luck!

      Delete
  22. Man, you just saved my router! Thanks a lot!
    Everything works on v4.24 with the same server ip-address.

    ReplyDelete
  23. Hi, I followed your steps but no luck to unbrick my router. I started a thread on dd-wrt, if you can contribute any suggestions to that I'd be grateful. Thanks http://www.dd-wrt.com/phpBB2/viewtopic.php?t=302156

    ReplyDelete
  24. Hi all,

    is the suggested stripping procedure still working nowday in 2021?

    I have a WA850RE V2 EU (italy) bricked with u-boot working.
    The fw download from tp-link and stripped with "dd if=850rev2_un-up-ver1-0-0-P1[20171228-rel55399].bin bs=512 skip=257 of=firmware.bin" yields to "Too big uncompressed streamLZMA ERROR 1"

    binwalk of 850rev2_un-up-ver1-0-0-P1[20171228-rel55399].bin states that the firmware area doesn't start at 0x20200 but at 0xe686 so I given a try using skip=59014 and bs=1 but I receive a kernel panic when I try to use this stripped firmware.
    The error reported by u-boot is: "No filesystem could mount root, tried: squashfs" and than "Kernel panic - not syncing: VFS"

    "No filesystem could mount root, tried: squashfs" and then "Kernel panic"

    Which is the correct syntax for the dd command to strip away the u-boot part from tp-link stock firmware?

    Thanks

    ReplyDelete

Post a Comment

Popular posts from this blog

Hidden TFTP of TP-Link routers

Haskell for embedded: C output, compilers, monads, Timber