Flashing TL-WR703N firmware directly to the flash chip



I have already posted a couple times about the TL-WR703N travel router including information about how to flash this router via the serial interface. Today, I am posting yet another method for flashing this router. Here is what you'll need if you're following the same process I took.

Prerequisites
If purchasing on Amazon, look around. At the time that I performed my search there was a bundled clip and flash programmer available for about $10.


The Method
This approach to flashing custom firmware is much simpler than using the serial interface, though it is not without its challenges. On any given router, the flash chip contains more than just firmware. At the very least, a boot partition and a partition for saving user configurations will also exist as well as other identifying information like the MAC address. Knowing where the firmware starts in the flash memory is imperative! On this particular router, the firmware starts at 0x20000 bytes and spans 0x3c0000 bytes. Each router will be different. You just have to search around online to see if you can find that information for the router you want to flash. The second bit that can be tricky with this approach is getting the clip seated just right on the flash chip so the flashrom program can read from and write to the flash chip. This is not as easy as you might think it would be. Just keep trying over and over.

Here are some images of my setup. The flash chip on this router is on the backside. Pin 1 is the pin right beside the little indentation in the chip. The red line on the clip should go to pin 1.
  • Flash chip on the router:
  • Flash programmer (note the jumper setting and sockets to use)
  • Flash programmer with clip attached (note the position of pin 1 and red line on cable)
  • Clip on flash chip (note orientation of red line on clip with chip)


Once I had everything in place, I performed a flash dump. There are two reasons for this. First, if anything went wrong, I wanted to be able to recover the factory flash contents. Second, I wanted to inject the firmware into the existing flash dump leaving the boot partition intact, and that's really easy to do if I already have a digital copy of the existing flash contents.

With the flash dump in hand, I verified that I read it correctly from the router and made a copy of the flash dump. I then used dd to inject a copy of the firmware into the flash dump starting at location 0x20000 in the dump file, making sure the file was not truncated. This overwrites the factory installed firmware but leaves the boot partition, user configuration (nvram) partition, and other important info like router MAC address intact.

At this point, I had a digital copy of the modified flash image but it wasn't yet on my router. Pushing it to the router was easy. Using flashrom, I copied my modified flash image back to the router. The flashrom program automatically verified that the image was saved correctly.

Now, I was almost done. You'll recall that this process doesn't touch the area in memory where user configuration changes are saved (nvram). This meant that all kinds of stuff was out of whack on the first boot, so the last step to get the new firmware up and running correctly was to hold in that reset button and perform a router reset to ensure that the custom firmware was operating with its own default settings.
Do It Yourself
Okay, so I didn't spell out any of the commands to do this yourself. In fact, I figured it would be better to write a script. Check it out on my GitHub page. You will find there everything you need to attempt this yourself. I wrote the script such that it can be used to flash any router, not just the TL-WR703N. However, be warned, the offset of the firmware in flash memory will differ for other makes and models of routers.

Comments

Post a Comment

Popular posts from this blog

Encrypted Ubuntu Installation with "Manual" Partitioning

If you've ever installed a recent version of Ubuntu, you'll know that there is an option for Full-Disk Encryption (FDE) shortly after you begin the installation process. However, if you want to manually partition things (like I do), then you're out of luck! The Ubiquity installer does not support FDE and manual partitioning. That being said, you can still do it. I could be wrong, but I believe I was the first person to document the exact process . I was wrong. I've since found at least two other posts that document this process and predate my initial documentation considerably. If you follow that link and check out my answer, you'll see I note that the process of setting up FDE with LVM is not for novice users. Today I take that back! In this post I present what I call the LGMP (LUKS guided manual partitioning) installation script. I set up different systems from time to time, and it was annoying having to go through the system prep and finalization steps manual
Read more

Router Firmware -- Dumping and Flashing

Image
Introduction If you've ever bricked a router with a bad firmware update and had to reload the firmware over a serial connection, then you may be familiar with much of what I cover here. If you don't even know what firmware is, this post is probably not for you. If you know what firmware is but don't know what I'm talking about with serial connections, keep reading; you may find this interesting. In my particular case, I did not brick a router. The router in question was working exactly as intended by the manufacturer. No, I wanted to put custom firmware on it, and the manufacturer had locked the device down to prevent such modifications. That didn't stop others from exploiting a security hole in the parental control pages to run arbitrary code. Alas, my router had been upgraded with a version of firmware that patched that gaping hole. In addition to these complications, I didn't have the custom firmware file that I needed for flashing. You see, the fi
Read more