How to unbrick the TL-WR941ND

How to unbrick the TL-WR941ND

How to unbrick your TP-Link TL-WR941ND? A Step by step instruction

Dissasembly

Opening the WR941ND is unfortunately not absolutely foolproof, as I can confirm 😀

Let me explain, in case somebody else needs some hints

Step 1: Remove rubber feets

There are four rubber feets on the bottom of the device. You have to remove the two one the side where the cables are plugged in. This will reveal two screws.

Step 2: Slide back the black

Now, please unscrew both screws – but not completely – just one or two millimeters.

When you are now pressing against those screws, the other side of the case will lift a bit. Clamp something in the gap and unscrew the screws completely. After that, take a screwdriver to push – from the inside – the other side of the case outwards.

You can now slide back the inner (black) part of the case.

Step 3: Release the Brackets

Once you done with Step 2, you will see two gaps between the white and black parts of the case. Take a look inside, you will see two brackets at the front – release them using a flat screwdriver or sth. like that.

Soldering

Jumpers

Please solder a little jumper at the first empty place of the two resistors.

Header

To make our life easier, solder in a pinheader 🙂

Hook up a Serial-Adapter

I am going to use two things in this section,

At first you will need a USB to TTL Adapter – I am using one based on the CH340G IC, costs around 5€

Secondly, you will need a Serial Console Application. I am using arch Linux and there I prefer tio, which is just a lovely little app. Give it a try if you are running Linux too: http://tio.github.io/

Wiring

CH340GWR941ND
RXDTXD – Pin 1 (bold bar)
TXDRXD – Pin 2
GNDGND – Pin 3
VCC (3.3V / 5V)Not connected

Connection

To start up tio using the right settings, type

tio --baudrate 115200 --databits 8 --stopbits 1 --parity none

and plug in the power cord afterwards, you will see somthing like:

flood@flood-r3:[~]$ tio /dev/ttyUSB0 --baudrate 115200 --databits 8 --stopbits 1 --parity none --flow none
[tio 19:47:07] tio v1.32
[tio 19:47:07] Press ctrl-t q to quit
[tio 19:47:12] Connected
[tio 19:47:39] Disconnected
[tio 19:48:09] Connected
U-Boot 1.1.4 (Jun 18 2009 - 15:08:27)
AP81 (ar7100) U-boot
DRAM:
sri
32 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash: 8 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ag7100_enet_initialize…
No valid address in Flash. Using fixed address
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
Autobooting in 1 second

Transfer the firmware

To transfer the new firmware, you will need…

A TFTP server, I am using utftpd and the original stock firmware – which you can get here.

Interrupting bootup

Some seconds after powering the system, you will see the following line:

Autobooting in 1 seconds

When you see it, be fast and type in

tpl

and press enter as fast as you can. If you where fast enough then your terminal rewards you by showing

ar7100> 

Setup and Download

You have to set up the IP-Addresses, we start with the one where the TFTP server is running and after that your own (an IP-address for the bricked router):

ar7100> setenv serverip 192.168.1.1
ar7100> setenv ipaddr 192.168.1.2 

Now connect your device (via LAN1) to your computer, don’t forget to set the static IP-address you decided for above (serverip).

Start the uftpd server on your computer, pass the directory where you have downloaded the stock image to and rename the image to something short like img.bin:

sudo uftpd /home/user/Downloads

Now download the image to the device via the following command on your router

ar7100> tftp 0x80800000 img.bin

where 0x80800000 is the destination address, this is just a intermediate place.

Once the download is done, you should see somthing like

Bytes transferred = 3932160 (3c0000 hex) 

You need to remember this size of the transfered file (0x3c0000), keep it in mind – I will call it <size>.

Now, please run

ar7100> printenv bootcmd
bootcmd=bootm 0xbf020000

Again, please note down this address (0xbf020000) which I will call <start>.

Next, please erase the place where we are going to copy our image to:

ar7100> erase.b <start> +<size>
First 0x2 last 0x3d sector size 0x10000
61
Erased 60 sectors 

And finally copy the image into the final place

ar7100> cp.b 0x80800000 <start> <size>
Copy to Flash... write addr: bf020000
done 

Reboot and you are done.