Skip to content

Specialized boot loader with enhanced recovery capabilities for routers

License

Notifications You must be signed in to change notification settings

CodeFetch/router-u-boot

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Bootloader for routers

Table of contents

Introduction

This project is based on Piotr Dymacz's u-boot_mod. It aims to continue the great effort he put in creating a versatile fork of U-Boot with modifications specifically fit for off-the-shelf routers. In the long-term most of the U-Boot code will be replaced as the base of this fork (U-Boot 1.1.4) is far from upstream and most of U-Boot's newer features go beyond the scope of booting or recovering a router. This bootloader aims to be small in size while offering the wishful recovery methods for routers.

You can find OEM sources for reference from the following pages:

Supported devices

Currently supported devices:

  • Atheros AR9331:

    • 8devices Carambola 2 (for version with development board, photos in my gallery)
    • ALFA Network AP121F
    • ALFA Network Hornet-UB/Hornet-UB-64 (aka Hornet-UB x2)
    • ALFA Network Tube2H
    • Black Swift
    • CreatComm Technology D3321
    • Dragino MS14/N
    • GainStrong Oolite v1/Elink EL-M150 module with dev board (photos in my gallery)
    • GL.iNet 64xxA (photos in my gallery)
    • GL.iNet GL-AR150
    • GL.iNet GL-USB150
    • Hak5 LAN Turtle
    • Hak5 Packet Squirrel
    • Hak5 WiFi Pineapple NANO
    • TP-Link TL-MR10U v1 (photos in my gallery)
    • TP-Link TL-MR13U v1
    • TP-Link TL-MR3020 v1 (photos in my gallery)
    • TP-Link TL-MR3040 v1 and v2
    • TP-Link TL-MR3220 v2
    • TP-Link TL-WR703N v1, (photos in my gallery)
    • TP-Link TL-WR710N v1 (version for European market, photos in my gallery)
    • TP-Link TL-WR720N v3 (version for Chinese market)
    • TP-Link TL-WR740N v4 (and similar, like TL-WR741ND v4)
    • Village Telco Mesh Potato 2 (based on Dragino MS14/N)
  • Atheros AR1311 (similar to AR9331)

  • Atheros AR9341:

    • EnGenius ENS202EXT
    • TP-Link TL-MR3420 v2
    • TP-Link TL-WA801ND v2
    • TP-Link TL-WA830RE v2
    • TP-Link TL-WR841N/D v8
    • TP-Link TL-WR842N/D v2
    • YunCore CPE870
  • Atheros AR9342:

    • TP-Link TL-WR1041N v2
  • Atheros AR9344:

    • ALFA Network N5Q
    • GL.iNet GL-AR300
    • TP-Link TL-WDR3500 v1
    • TP-Link TL-WDR3600 v1
    • TP-Link TL-WDR43x0 v1
  • Qualcomm Atheros QCA953x:

    • ALFA Network R36A
    • Comfast CF-E314N
    • Comfast CF-E320N v2
    • Comfast CF-E520N/CF-E530N
    • GainStrong Oolite v5.2 (module and dev board)
    • GL.iNet GL-AR300M Lite
    • GL.iNet GL-AR750
    • Joy-IT JT-OR750i
    • P&W CPE505N
    • P&W R602N
    • TP-Link TL-MR22U v1
    • TP-Link TL-MR3420 v3
    • TP-Link TL-MR6400 v1, v2
    • TP-Link TL-WA850RE v2
    • TP-Link TL-WR802N
    • TP-Link TL-WR810N v1, v2
    • TP-Link TL-WR820N (version for Chinese market)
    • TP-Link TL-WR841N/D v9, v10, v11
    • TP-Link TL-WR842N/D v3
    • TP-Link TL-WR902AC v1
    • Wallys DR531
    • WHQX E600G/AC v2
    • YunCore AP90Q
    • YunCore CPE830
    • YunCore T830
    • Zbtlink ZBT-WE1526
  • Qualcomm Atheros QCA956x:

    • TP-Link EAP245 v1

I tested this modification on most of these devices, with OpenWrt and OFW firmware. If you are not sure about the version of your device, please contact with me before you try to make an upgrade. Changing bootloader to a wrong version will probably damage your router and you will need special hardware to fix it, so please, be very careful.

More information about supported devices:

Model SoC FLASH RAM U-Boot image U-Boot env
8devices Carambola 2 AR9331 16 MiB 64 MiB DDR2 256 KiB R/W
ALFA Network AP121F AR9331 16 MiB 64 MiB DDR1 192 KiB, LZMA R/W
ALFA Network Hornet-UB AR9331 8/16 MiB 32/64 MiB DDR1 256 KiB R/W
ALFA Network N5Q AR9344 16 MiB 64 MiB DDR2 384 KiB, LZMA R/W
ALFA Network R36A QCA9531 16 MiB 64 MiB DDR2 384 KiB, LZMA R/W
ALFA Network Tube2H AR9331 8/16 MiB 32/64 MiB DDR1 256 KiB R/W
Black Swift AR9331 16 MiB 64 MiB DDR2 128 KiB, LZMA R/W
Comfast CF-E314N QCA9531 16 MiB 64 MiB DDR2 64 KiB, LZMA RO
Comfast CF-E320N v2 QCA9531 16 MiB 64 MiB DDR2 64 KiB, LZMA RO
Comfast CF-E520N/CF-E530N QCA9531 8 MiB 32 MiB DDR2 64 KiB, LZMA RO
CreatComm Technology D3321 AR9331 8 MiB 32 MiB DDR1 256 KiB RW
D-Link DIR-505 H/W ver. A1 AR1311 8 MiB 64 MiB DDR2 64 KiB, LZMA RO
Dragino MS14/N AR9331 16 MiB 64 MiB DDR1 192 KiB R/W
EnGenius ENS202EXT AR9341 16 MiB 64 MiB DDR1 256 KiB R/W
GainStrong Oolite v1/Elink EL-M150 module AR9331 4/8/16 MiB 64 MiB DDR2 64 KiB, LZMA RO
GainStrong Oolite v5.2 QCA9531 16 MiB 64/128 MiB DDR2 256 KiB, LZMA RO
GL.iNet 64xxA AR9331 8/16 MiB 64 MiB DDR1 64 KiB RO
GL.iNet GL-AR150 AR9331 16 MiB 64 MiB DDR2 256 KiB R/W
GL.iNet GL-AR300 AR9344 16 MiB 128 MiB DDR2 256 KiB R/W
GL.iNet GL-AR300M Lite QCA9531 16 MiB 128 MiB DDR2 256 KiB R/W
GL.iNet GL-AR750 QCA9531 16 MiB 128 MiB DDR2 256 KiB R/W
GL.iNet GL-USB150 AR9331 16 MiB 64 MiB DDR2 256 KiB R/W
Joy-IT JT-OR750i QCA9531 16 MiB 128 MiB DDR2 256 KiB R/W
Hak5 LAN Turtle AR9331 16 MiB 64 MiB DDR2 128 KiB R/W
Hak5 Packet Squirrel AR9331 16 MiB 64 MiB DDR2 128 KiB R/W
Hak5 WiFi Pineapple NANO AR9331 16 MiB 64 MiB DDR2 128 KiB R/W
P&W CPE505N QCA9531 16 MiB 64 MiB DDR2 256 KiB R/W
P&W R602N QCA9531 16 MiB 64 MiB DDR2 256 KiB R/W
TP-Link EAP245 v1 QCA9563 16 MiB 128 MiB DDR2 128 KiB, LZMA RW
TP-Link TL-MR10U v1 AR9331 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-MR13U v1 AR9331 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-MR22U v1 QCA9531 8 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-MR3020 v1 AR9331 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-MR3040 v1/2 AR9331 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-MR3220 v2 AR9331 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-MR3420 v2 AR9341 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-MR3420 v3 QCA9531 4 MiB 32 MiB DDR2 64 KiB, LZMA RO
TP-Link TL-MR6400 v1/2 QCA9531 8 MiB 64 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WA801ND v2 AR9341 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WA830RE v2 AR9341 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WA850RE v2 QCA9533 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WDR3500 v1 AR9344 8 MiB 128 MiB DDR2 64 KiB, LZMA RO
TP-Link TL-WDR3600 v1 AR9344 8 MiB 128 MiB DDR2 64 KiB, LZMA RO
TP-Link TL-WDR43x0 v1 AR9344 8 MiB 128 MiB DDR2 64 KiB, LZMA RO
TP-Link TL-WR1041N v2 AR9342 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR703N AR9331 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR710N v1 AR9331 8 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR720N v3 AR9331 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR740N v4 AR9331 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR802N QCA9533 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR810N v1 QCA9531 8 MiB 64 MiB DDR2 64 KiB, LZMA RO
TP-Link TL-WR810N v2 QCA9533 8 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR820N QCA9531 4 MiB 64 MiB DDR2 64 KiB, LZMA RO
TP-Link TL-WR841N/D v8 AR9341 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR841N/D v9/10/11 QCA9533 4 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR842N/D v2 AR9341 8 MiB 32 MiB DDR1 64 KiB, LZMA RO
TP-Link TL-WR842N/D v3 QCA9531 16 MiB 64 MiB DDR2 64 KiB, LZMA RO
TP-Link TL-WR902AC v1 QCA9531 8 MiB 64 MiB DDR2 128 KiB, LZMA RO
Village Telco Mesh Potato 2 AR9331 16 MiB 64 MiB DDR1 192 KiB R/W
Wallys DR531 QCA9531 8 MiB 64 MiB DDR2 192 KiB R/W
WHQX E600G/AC v2 QCA9531 8/16 MiB 64/128 MiB DDR2 256 KiB R/W
YunCore AP90Q QCA9531 16 MiB 128 MiB DDR2 256 KiB R/W
YunCore CPE830 QCA9531 16 MiB 64 MiB DDR2 256 KiB R/W
YunCore CPE870 AR9341 8 MiB 64 MiB DDR2 64 KiB, LZMA R/W
YunCore T830 QCA9531 16 MiB 128 MiB DDR2 256 KiB R/W
Zbtlink ZBT-WE1526 QCA9531 16 MiB 128 MiB DDR2 256 KiB R/W

(LZMA) - U-Boot binary image is compressed with LZMA. (R/W) - environment exists in separate FLASH block which allows you to save it and keep after power down. (RO) - environment is read only, you can change and add new variables only during runtime.

Known issues

Current release is not loading kernel from some versions of TP-Link's official firmware. If you want to use the so-called OFW in any of supported TP-Link's router, do not use this modification.

Modifications, changes

Web server

This bootloader includes a web and a DHCP server. It allows to upgrade firmware, U-Boot and ART (Atheros Radio Test) images, directly from your web browser, without need to access serial console and running a TFTP server.

The web server is accessible at 10.123.123.1 by default.

It contains 7 pages:

  1. index.html (allows to upgrade firmware image, screenshot below)
  2. uboot.html (allows to upgrade U-Boot image)
  3. art.html (allows to upgrade ART image)
  4. flashing.html
  5. 404.html
  6. fail.html
  7. style.css

TFTP firmware recovery

When using TFTP firmware recovery with acquiring a DHCP lease the gateway IP address is expected to be the TFTP server. Otherwise the default TFTP server IP address is 192.168.1.1 and the default firmware image name is MODEL_firmware.bin (e.g. tl-mr10u-v1_firmware.bin).

For some devices this IP address and the image name may differ to ensure compatibility with OEM firmware:

  • TP-Link (192.168.0.66 - only if listed here)
    • TL-WR841N v8 (mr3420v2_tp_recovery.bin)
    • TL-WR841N v9 (wr841nv9_tp_recovery.bin)
    • TL-WR841N v10 (wr841nv10_tp_recovery.bin)
    • TL-WR841N v11 (wr841nv11_tp_recovery.bin)
    • TL-WR842N v2 (wr842nv2_tp_recovery.bin)

Network Console

The network console allows you to communicate with U-Boot console over the Ethernet, using UDP protocol (default UDP port: 6666, router IP: 192.168.1.1). It will be replaced with a telnet implementation in the future.

You could also use netcat instead of Hercules utility on Mac/Linux:

# nc -u -p 6666 192.168.1.1 6666

Writable environment variables

U-Boot uses special "environment variables" which are used for storing values of many different settings, like IP addresses of device and remote server for TFTP transaction, serial console baud rate, boot command, etc. Environment is usually stored in separate FLASH sector or its part, so all changes can be saved permanently.

None of the popular manufacturers provides this feature and use so called "read-only environment" (embedded in U-Boot image), which means that all changes made during a runtime will be lost after device restart and there is no way to store them in FLASH.

This modification uses writable environment variables in almost all supported devices, so you can do for example:

uboot> setenv ipaddr 192.168.1.100
uboot> saveenv
Saving environment to FLASH...

Erase FLASH from 0x9F010000 to 0x9F01FFFF in bank #1
Erasing: #

Erased sectors: 1

Writing at address: 0x9F010000

uboot> reset

Which will change device IP address and save updated environment variables in FLASH. From next power up, the device will use new value for its IP address.

Using command run and writable environment variables you are able to write custom, small scripts like below example, used for firmware upgrade using TFTP method:

uboot> printenv
[...]
firmware_addr=0x9F020000
firmware_name=firmware.bin
firmware_upg=if ping $serverip; then tftp $loadaddr $firmware_name && erase $firmware_addr +$filesize && cp.b $loadaddr $firmware_addr $filesize && echo OK!; else echo ERROR! Server not reachable!; fi
[...]

uboot> run firmware_upg
Ethernet mode (duplex/speed): 1/100 Mbps
Using eth0 device

Ping OK, host 192.168.1.2 is alive!


TFTP from IP: 192.168.1.2
      Our IP: 192.168.1.1
    Filename: 'firmware.bin'
Load address: 0x80800000
       Using: eth0

     Loading: ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              ########################################
              #########

TFTP transfer complete!

Bytes transferred: 3932160 (0x3c0000)
Erase FLASH from 0x9F020000 to 0x9F3DFFFF in bank #1
Erasing: #######################################
         #####################

Erased sectors: 60

Copying to FLASH...
Writing at address: 0x9F020000

Done!

OK!
uboot>

Other

Moreover:

  • Faster boot up
  • Unnecessary information from boot up sequence were removed
  • FLASH chip is automatically recognized (using JEDEC ID)
  • Ethernet MAC is set from FLASH (no more "No valid address in FLASH. Using fixed address")
  • Automatic kernel booting can be interrupted using any key
  • Better UART serial console driver with support for different baud rates
  • Press and hold reset button to run:
    • TFTP firmware recovery using static/hardcoded IPs (min. 3 seconds)
    • TFTP firmware recovery using a DHCP server/gateway address (min. 5 seconds)
    • Web recovery as a DHCP client (min. 7 seconds)
    • Web recovery (min. 9 seconds)
    • U-Boot network console (min. 12 seconds)
  • Additional commands (in comparison to the default version; availability depends on router model):
    • defenv
    • httpd
    • itest
    • loadb
    • loady
    • printmac
    • setmac
    • printmodel
    • printpin
    • startnc
    • startsc
    • ping
    • dhcp
    • sntp
    • iminfo
  • Overclocking and underclocking possibilities (for now, only routers with AR9331)

Supported FLASH chips

FLASH type detection may be very useful for people who has exchanged the FLASH chip in their routers. You will not need to recompile U-Boot sources, to have access to overall FLASH space in U-Boot console.

If you use FLASH type which is not listed below, this version of U-Boot will try to get information about the chip using Serial Flash Discoverable Parameter (SFDP, more information: https://www.jedec.org/standards-documents/docs/jesd216b) standard. If your chip does not support SFDP, it will use default size for your router and, in most supported models, updating the ART image will not be available.

Currently supported FLASH types:

4 MiB:

  • Spansion S25FL032P (4 MiB, JEDEC ID: 01 0215)*
  • Atmel AT25DF321 (4 MiB, JEDEC ID: 1F 4700)
  • EON EN25Q32 (4 MiB, JEDEC ID: 1C 3016)*
  • EON EN25F32 (4 MiB, JEDEC ID: 1C 3116)*
  • Micron M25P32 (4 MiB, JEDEC ID: 20 2016)
  • Windbond W25Q32 (4 MiB, JEDEC ID: EF 4016)
  • Macronix MX25L320 (4 MiB, JEDEC ID: C2 2016)
  • GigaDevice GD25Q32 (4 MiB, JEDEC ID: C8 4016)*

8 MiB:

  • Spansion S25FL064P (8 MiB, JEDEC ID: 01 0216)
  • Atmel AT25DF641 (8 MiB, JEDEC ID: 1F 4800)
  • EON EN25Q64 (8 MiB, JEDEC ID: 1C 3017)*
  • Micron M25P64 (8 MiB, JEDEC ID: 20 2017)
  • Windbond W25Q64 (8 MiB, JEDEC ID: EF 4017)*
  • Macronix MX25L64 (8 MiB, JEDEC ID: C2 2017, C2 2617)
  • GigaDevice GD25Q64 (8 MiB, JEDEC ID: C8 4017)

16 MiB:

  • Winbond W25Q128 (16 MiB, JEDEC ID: EF 4018)*
  • Winbond W25Q128FW (16 MiB, JEDEC ID: EF 6018, 1,8 V)*
  • Macronix MX25L128 (16 MiB, JEDEC ID: C2 2018, C2 2618)
  • Spansion S25FL127S (16 MiB, JEDEC ID: 01 2018)*
  • Micron N25Q128 (16 MiB, JEDEC ID: 20 BA18)
  • GigaDevice GD25Q128 (16 MiB, JEDEC ID: C8 4018)*

(*) tested

If you want to use other type, please contact with me or make changes in the code, test them and send a pull request or a patch.

How to install it?

Cautions, backups

You do so at your own risk! If you make any mistake or something goes wrong during upgrade, in worst case, your router will not boot again!

It is a good practice to backup your original U-Boot image/partition (especially for TP-Link devices) before you make any changes. For example, using OpenWrt (TP-Link TL-WR703N with 16 MiB FLASH):

cat /proc/mtd

This command will show you all MTD (Memory Technology Device) partitions:

dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 000eeb70 00010000 "kernel"
mtd2: 00ee1490 00010000 "rootfs"
mtd3: 00c60000 00010000 "rootfs_data"
mtd4: 00010000 00010000 "art"
mtd5: 00fd0000 00010000 "firmware"

As you can see, u-boot partition size is 0x20000 (128 KiB) and my image for this model has smaller size: 0x1EC00 (123 KiB) - it is a very important difference! You should remember about this if you want to use mtd utility or serial console and U-Boot command line, to change the bootloader.

To backup u-boot partition in RAM, run:

cat /dev/mtd0 > /tmp/uboot_backup.bin

And then connect to your router using SCP protocol and download from /tmp the uboot_backup.bin file.

Using external programmer

If you have an external FLASH programmer (all supported devices have SPI NOR FLASH chips), you probably know how to use it. Download package with prebuilt images or compile the code, choose right file for your device and put it on FLASH at the beginning (offset 0x00000). Remember to first erase block(s) - with high probability, if you use some kind of automatic mode, the programmer will do it for you.

All prebuilt images are padded with 0xFF and since change "Extend maximum U-Boot image size up to 123 KB", in most supported devices, their size is no longer a multiple of 64 KiB block. For example, TP-Link uses only first 64 KiB block to store compressed U-Boot image (in most of their modern devices). In the second 64 KiB block they store additional information like MAC address, model number and WPS pin number. This modification will use both sectors for U-Boot image and also other data, including small block for writable environment variables.

Below image with beginning part of FLASH memory map for TP-Link TL-MR3020 shows differences between stock version and this modification.

On the other hand, U-Boot image in Carambola 2 from 8devices may have up to 256 KiB (4x 64 KiB block), they use uncompressed version and environment stored in FLASH. Immediately after the Carambola 2 U-Boot partition is an area which contains U-Boot environment variables (1x 64 KiB block), called u-boot-env:

dev:    size   erasesize  name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00f90000 00010000 "firmware"
mtd3: 00e80000 00010000 "rootfs"
mtd4: 00cc0000 00010000 "rootfs_data"
mtd5: 00010000 00010000 "nvram"
mtd6: 00010000 00010000 "art"

Using UART, U-Boot console and TFTP server

WARNING! This method is highly not recommended!

It is probably the most common method to change firmware in case of any problems. Main disadvantage of this approach is the need to connect with device using a serial port (this does not apply to Carambola 2 with development board, which already has a built-in USB-UART adapter, based on FTDI FT232RQ).

Important notice!

All these devices have an UART interface integrated inside the SoC, which operates at TTL 3.3 V (in fact, GPIO pins can work at this voltage, but their real range is < 3 V)!

Please, do not connect any RS232 +/- 12 V cable or any adapter without logic level converter, because it may damage your device. It would be the best if you use any USB to UART adapter with integrated 3.3 V logic level converter. And please, remember that you should connect only RX, TX and GND signals. DO NOT connect together 3.3 V signals from router and from adapter if you do not know what are you doing, because you may burn out your adapter and/or router! Connect the adapter using USB port in your PC and router with original power supply.

For a long time I have been using without any problems a small and very cheap (about 1-2 USD) CP2102 based adapter. Go to Serial Console article in OpenWrt Wiki for more, detailed information.

Step by step instructions

  1. Install and configure any TFTP server on your PC (on Windows, you can use TFTP32).

  2. Set a fixed IP address on your PC (in this tutorial we will use 192.168.1.2 for the PC and 192.168.1.1 for the router) and connect it to the router, using RJ45 network cable (in most case you will need to use one of the available LAN ports, but WAN port should also work).

  3. Connect USB to UART adapter to the router and start any application to communicate with it, like PuTTY. Configure adapter to use the following settings:

  • Baud rate: 115200
  • Data bits: 8
  • Parity control: none
  • Stop bits: 1
  • Handshaking: none
  1. Power on the router, wait for a line like one of the following and interrupt the process of loading a kernel:

Autobooting in 1 seconds (for most TP-Link routers, you should enter tpl at this point) Hit ESC key to stop autoboot: 1 (for 8devices Carambola 2, use ESC key) Hit any key to stop autoboot: 1 (for D-Link DIR-505, use any key)

  1. Set ipaddr and serverip environment variables:
hornet> setenv ipaddr 192.168.1.1
hornet> setenv serverip 192.168.1.2
  1. Check the changes:
hornet> printenv ipaddr
ipaddr=192.168.1.1
hornet> printenv serverip
serverip=192.168.1.2
  1. Due to differences in FLASH memory map and sizes of original and modified version of U-Boot, you must first make a backup of the partition with original version in RAM. If you skip this step or make a mistake, your device will be probably broken!

This step is different between supported models, so you should pay attention to the size of image with modified version of U-Boot, round it to the nearest multiple of 64 KiB and use this value in all next steps.

For example, if image of the modified version is 123 KiB (0x1EC00) you must first make a backup of 128 KiB (0x20000) in RAM, at the same address where you are going to download the image:

hornet> cp.b 0x9F000000 0x80800000 0x20000

Using the same offset address in RAM for backup and new image will end up with combination of both images and preserve additional data like MAC address, model number and PIN.

  1. Download and store in RAM proper image for your router, using tftpboot command in U-Boot console (in this example, for TP-Link TL-MR3020):
hornet> tftpboot 0x80800000 uboot_for_tp-link_tl-mr3020.bin
eth1 link down
Using eth0 device
TFTP from server 192.168.1.2; our IP address is 192.168.1.1
Filename 'uboot_for_tp-link_tl-mr3020.bin'.
Load address: 0x80800000
Loading: #########################
done
Bytes transferred = 125952 (1ec00 hex)

hornet>
  1. Next step is very risky! You are going to delete existing U-Boot image from FLASH in your device and copy from RAM the new one. If something goes wrong (for example, a power failure), your router, without bootloader, will not boot again!

You should also note the size of image and use value from step 7. In all cases, the start address of FLASH is 0x9F000000 and for RAM: 0x80000000 (as you may noticed, I did not use start address of RAM to store image and you should follow this approach).

Please, do not make any mistake with offsets and sizes during next steps!

  1. Erase appropriate FLASH space for new U-Boot image (this command will remove default U-Boot image!):
hornet> erase 0x9F000000 +0x20000

First 0x0 last 0x1 sector size 0x10000
Erased 2 sectors
hornet>
  1. Now your router does not have U-Boot, so do not wait and copy to FLASH the new one, stored earlier in RAM:
hornet> cp.b 0x80800000 0x9F000000 0x20000

Copy to Flash... write addr: 9f000000
done
  1. If you want, you can check content of the newly written FLASH and compare it to the image on your PC (or better also do such a "legit memory content" comparison prior to writing!), using md command in U-Boot console, which prints indicated memory area (press only ENTER after first execution of this command to move further in memory):
hornet> md 0x9F000000

9f000000: 100000ff 00000000 100000fd 00000000    ................
9f000010: 10000222 00000000 10000220 00000000    ..."....... ....
9f000020: 1000021e 00000000 1000021c 00000000    ................
9f000030: 1000021a 00000000 10000218 00000000    ................
9f000040: 10000216 00000000 10000214 00000000    ................
9f000050: 10000212 00000000 10000210 00000000    ................
9f000060: 1000020e 00000000 1000020c 00000000    ................
9f000070: 1000020a 00000000 10000208 00000000    ................
9f000080: 10000206 00000000 10000204 00000000    ................
9f000090: 10000202 00000000 10000200 00000000    ................
9f0000a0: 100001fe 00000000 100001fc 00000000    ................
9f0000b0: 100001fa 00000000 100001f8 00000000    ................
9f0000c0: 100001f6 00000000 100001f4 00000000    ................
9f0000d0: 100001f2 00000000 100001f0 00000000    ................
9f0000e0: 100001ee 00000000 100001ec 00000000    ................
9f0000f0: 100001ea 00000000 100001e8 00000000    ................
  1. If you are sure that everything went OK, you may reset the board using below command or just reset power:
hornet> reset

Using OpenWrt

This method is recommended!

Starting from official release "2014-11-19", you will find ready OpenWrt images, with unlocked u-boot partition, embedded U-Boot image and dedicated small script for easy update process inside release tarball. All you need to do is download last release, select proper OpenWrt image for your device, install it and invoke one command: u-boot-upgrade:

root@OpenWrt:/# u-boot-upgrade

=================================================================
     DISCLAIMER: you are using this script at your own risk!

     The author of U-Boot modification and this script takes
     no responsibility for any of the results of using them.

          Updating U-Boot is a very dangerous operation
        and may damage your device! You have been warned!
=================================================================
   Are you sure you want to continue (type 'yes' or 'no')? yes
=================================================================

[ ok ] Found U-Boot image file: uboot_for_tp-link_tl-mr3020.bin
       Do you want to use this file (type 'yes' or 'no')? yes
[ ok ] MD5 checksum of new U-Boot image file is correct
[ ok ] Backup of /dev/mtd0 successfully created
       Do you want to store backup in /etc/u-boot_mod/backup/ (recommended, type 'yes' or 'no')? no
[ ok ] New U-Boot image successfully combined with backup file
[info] New U-Boot image is ready to be written into FLASH
       Are you sure you want to continue (type 'yes' or 'no')? yes
[ ok ] New U-Boot image successfully written info FLASH
[ ok ] MD5 checksum of mtd0 and new U-Boot image are equal
[info] Done!

How to compile the code?

Building on Linux

You can use one of the free toolchains:

I am using OpenWrt Toolchain for AR71xx MIPS (32-bit, virtual machine) and all released binary images were/will be built using this set.

All you need to do, after choosing a toolchain, is to modify Makefile - change or remove export MAKECMD and if needed add export PATH. For example, to use OpenWrt Toolchain instead of Sourcery CodeBench Lite, download it and extract into toolchain folder, inside the top dir and change first lines in Makefile:

export BUILD_TOPDIR=$(PWD)
export STAGING_DIR=$(BUILD_TOPDIR)/tmp

export MAKECMD=make --silent ARCH=mips CROSS_COMPILE=mips-openwrt-linux-uclibc-
export PATH:=$(BUILD_TOPDIR)/toolchain/bin/:$(PATH)

To build image, run make model inside top dir, for example, command:

make tplink_wr703n

will start building U-Boot image for TP-Link TL-WR703N.

FAQ

1. My device is not supported, but has the same hardware as one in the list, can I use this modification?

It could be dangerous! I know that a lot of routers uses the same hardware - for example, TP-Link has a battery powered routers set, which contains: TL-MR10U, TL-MR11U (TL-MR3040 in Europe) TL-MR12U and TL-MR13U. All of them has the same platform: Atheros AR9331 with 32 MiB of DDR RAM and 4 MiB of SPI NOR FLASH. But, there may exist a slight difference, like GPIO pin number for reset button or LED(s), that may cause problems.

You can try, but remember that you are doing this only at your own risk!

2. I want to overclock my router, how can I do this?

Currently, this option is available only for routers with Atheros AR9331 (please, look at ap121.h file which contains all information about PLL register configuration and an untypical clocks for CPU, RAM and AHB). What more, you will need to compile the code yourself, because I will not publish images with non-default clocks.

And again, remember that you are doing this only at your own risk!

3. Do you test all prebuilt images before you publish them?

No, because I do not have all supported devices, only few of them. But, I make tests for every supported SoC types.

4. I would like you to add support for device X.

You can do it yourself and send me a pull request or a patch. If you do not want to, or do not know how to do it, please contact with me directly.

5. My device does not boot after upgrade!

I told you... bootloader, in this case U-Boot, is the most important piece of code inside your device. It is responsible for hardware initialization and booting an OS (kernel in this case), i.e. it is the bridge head for delegating to / flashing kernel and rootfs images. So, if during the upgrade something went wrong, your device will not boot any more. The only way to recover from such a situation in a mild way is via a JTAG adapter connection. In case of a lack of JTAG connection, you would even need to remove the FLASH chip, load proper image using an external programmer and solder it back.

License, outdated sources etc.

U-Boot project is Free Software, licensed under version 2 of the GNU General Public License. All information about license, contributors etc., are included with sources, inside u-boot folder.

You should know, that most routers, especially those based on Atheros SoCs, uses very old versions of U-Boot (1.1.4 is from 2005/2006). So, these sources are definitely outdated (do not even try to merge them with official release), but it was easier for me to modify them, than move TP-Link/Atheros changes to the current version. Moreover, lot of unnecessary code fragments and source files were removed for ease of understanding the code.

Credits

  • Thanks to Piotr Dymacz for creating u-boot_mod
  • Thanks for all donators and for users who contributed in code development

About

Specialized boot loader with enhanced recovery capabilities for routers

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published