Opening the WR941ND is unfortunately not absolutely foolproof, as I can confirm 😀
Let me explain, in case somebody else needs some hints
Step 1: Remove rubber feets
There are four rubber feets on the bottom of the device. You have to remove the two one the side where the cables are plugged in. This will reveal two screws.
Step 2: Slide back the black
Now, please unscrew both screws – but not completely – just one or two millimeters.
When you are now pressing against those screws, the other side of the case will lift a bit. Clamp something in the gap and unscrew the screws completely. After that, take a screwdriver to push – from the inside – the other side of the case outwards.
You can now slide back the inner (black) part of the case.
Step 3: Release the Brackets
Once you done with Step 2, you will see two gaps between the white and black parts of the case. Take a look inside, you will see two brackets at the front – release them using a flat screwdriver or sth. like that.
Please solder a little jumper at the first empty place of the two resistors.
To make our life easier, solder in a pinheader 🙂
Hook up a Serial-Adapter
I am going to use two things in this section,
At first you will need a USB to TTL Adapter – I am using one based on the CH340G IC, costs around 5€
Secondly, you will need a Serial Console Application. I am using arch Linux and there I prefer tio, which is just a lovely little app. Give it a try if you are running Linux too: http://tio.github.io/
|RXD||TXD – Pin 1 (bold bar)|
|TXD||RXD – Pin 2|
|GND||GND – Pin 3|
|VCC (3.3V / 5V)||Not connected|
To start up tio using the right settings, type
tio --baudrate 115200 --databits 8 --stopbits 1 --parity none
and plug in the power cord afterwards, you will see somthing like:
flood@flood-r3:[~]$ tio /dev/ttyUSB0 --baudrate 115200 --databits 8 --stopbits 1 --parity none --flow none
[tio 19:47:07] tio v1.32
[tio 19:47:07] Press ctrl-t q to quit
[tio 19:47:12] Connected
[tio 19:47:39] Disconnected
[tio 19:48:09] Connected
U-Boot 1.1.4 (Jun 18 2009 - 15:08:27)
AP81 (ar7100) U-boot
id read 0x100000ff
flash size 8MB, sector count = 128
Flash: 8 MB
Using default environment
No valid address in Flash. Using fixed address
Autobooting in 1 second
Transfer the firmware
To transfer the new firmware, you will need…
Some seconds after powering the system, you will see the following line:
Autobooting in 1 seconds
When you see it, be fast and type in
and press enter as fast as you can. If you where fast enough then your terminal rewards you by showing
Setup and Download
You have to set up the IP-Addresses, we start with the one where the TFTP server is running and after that your own (an IP-address for the bricked router):
ar7100> setenv serverip 192.168.1.1 ar7100> setenv ipaddr 192.168.1.2
Now connect your device (via LAN1) to your computer, don’t forget to set the static IP-address you decided for above (serverip).
Start the uftpd server on your computer, pass the directory where you have downloaded the stock image to and rename the image to something short like img.bin:
sudo uftpd /home/user/Downloads
Now download the image to the device via the following command on your router
ar7100> tftp 0x80800000 img.bin
where 0x80800000 is the destination address, this is just a intermediate place.
Once the download is done, you should see somthing like
Bytes transferred = 3932160 (3c0000 hex)
You need to remember this size of the transfered file (0x3c0000), keep it in mind – I will call it <size>.
Now, please run
ar7100> printenv bootcmd bootcmd=bootm 0xbf020000
Again, please note down this address (0xbf020000) which I will call <start>.
Next, please erase the place where we are going to copy our image to:
ar7100> erase.b <start> +<size> First 0x2 last 0x3d sector size 0x10000 61 Erased 60 sectors
And finally copy the image into the final place
ar7100> cp.b 0x80800000 <start> <size> Copy to Flash... write addr: bf020000 done
Reboot and you are done.