Flashing TL-WR703N firmware directly to the flash chip
I have already posted a couple times about the TL-WR703N travel router including information about how to flash this router via the serial interface. Today, I am posting yet another method for flashing this router. Here is what you'll need if you're following the same process I took.
Prerequisites
- A Linux system with flashrom installed (I used Ubuntu)
- A SOIC8 SOP8 Flash Clip
- A flash programmer
- Custom firmware to install on the TL-WR703N (OpenWrt, DD-WRT, PirateBox, ...)
The Method
This approach to flashing custom firmware is much simpler than using the serial interface, though it is not without its challenges. On any given router, the flash chip contains more than just firmware. At the very least, a boot partition and a partition for saving user configurations will also exist as well as other identifying information like the MAC address. Knowing where the firmware starts in the flash memory is imperative! On this particular router, the firmware starts at 0x20000 bytes and spans 0x3c0000 bytes. Each router will be different. You just have to search around online to see if you can find that information for the router you want to flash. The second bit that can be tricky with this approach is getting the clip seated just right on the flash chip so the flashrom program can read from and write to the flash chip. This is not as easy as you might think it would be. Just keep trying over and over.
Here are some images of my setup. The flash chip on this router is on the backside. Pin 1 is the pin right beside the little indentation in the chip. The red line on the clip should go to pin 1.
- Flash chip on the router:
- Flash programmer (note the jumper setting and sockets to use)
- Flash programmer with clip attached (note the position of pin 1 and red line on cable)
- Clip on flash chip (note orientation of red line on clip with chip)
Once I had everything in place, I performed a flash dump. There are two reasons for this. First, if anything went wrong, I wanted to be able to recover the factory flash contents. Second, I wanted to inject the firmware into the existing flash dump leaving the boot partition intact, and that's really easy to do if I already have a digital copy of the existing flash contents.
With the flash dump in hand, I verified that I read it correctly from the router and made a copy of the flash dump. I then used dd to inject a copy of the firmware into the flash dump starting at location 0x20000 in the dump file, making sure the file was not truncated. This overwrites the factory installed firmware but leaves the boot partition, user configuration (nvram) partition, and other important info like router MAC address intact.
At this point, I had a digital copy of the modified flash image but it wasn't yet on my router. Pushing it to the router was easy. Using flashrom, I copied my modified flash image back to the router. The flashrom program automatically verified that the image was saved correctly.
Now, I was almost done. You'll recall that this process doesn't touch the area in memory where user configuration changes are saved (nvram). This meant that all kinds of stuff was out of whack on the first boot, so the last step to get the new firmware up and running correctly was to hold in that reset button and perform a router reset to ensure that the custom firmware was operating with its own default settings.
Do It Yourself
Okay, so I didn't spell out any of the commands to do this yourself. In fact, I figured it would be better to write a script. Check it out on my GitHub page. You will find there everything you need to attempt this yourself. I wrote the script such that it can be used to flash any router, not just the TL-WR703N. However, be warned, the offset of the firmware in flash memory will differ for other makes and models of routers.
Comments
Post a Comment