Tag Archives: openwrt

Recover bricked TL-MR3020 via serial console


Recently, I’ve flashed my MR3020 in attempt to make my own Wifi Pineapple. But.. You know. Shit happen. :p

In other word, i screwed up my MR3020 and bricked it. All the LED is keep on blinking, some is on and not blinking, and the network is getting connected and disconnected randomly. Guess that’s a sign you’ve mess up with the device. XD

But I’m lucky because you still can recover the device via serial console and tftpd32 method. (yeay!)

Bear in mind that this method will VOID your warranty. So, don’t do this unless you willing to sacrifice for the sake of knowledge. πŸ™‚

Things that you need:

  • Tftpd32: A free tftp and dhcp server for windows, freeware tftp server. Very efficient for booting over LAN.
  • PuTTY: SSH and telnet client, free and open-source terminal emulator, serial console and network file transfer application.
  • USB to UART converter (3.3V). I’m using this converter that I bought at Cytron Technologies.
  • A 10K resistor
  • Female to Female OR Female to Male Jumper Wires
UC00B USB-UART Converter
UC00B USB-UART Converter


So, as you can see, my USB-UART converter come with 6 ways header pin for interfacing. The voltage selector must set to 3.3V since the TL-MR3020 router have its I/O pins working at 3.3V.

Connection Diagram
* Do not connect the router VCC to USB-UART VCC, it may break your adapter or your router

TL-MR3020   |    USB-UART   |    COLOR
------------|---------------|-----------
GND | GND | BLACK
RX | TXD | GREEN
TX | RXD | YELLOW

For the picture of the connection diagram, refer to first picture above.

No Serial Port
Male Jump Wire to MR3020


So, in my case, my MR3020 is version 1.9. As you can see picture above, mine doesn’t have any serial port to connect to using female jump wire. So I use female (attach to USB-UART) to male (attach to MR3020) as picture below:

Male Jump Wire to MR3020
Male Jump Wire to MR3020


Take note that I only put the resistor and jumper wire without soldering. You can do a soldering to your jump wire and resistor to the port with in this tutorial, I skip with that. :p

After you have all things in place, you can start installing the UC00B (USB-UART) driver to your computer. After finished, restart your computer, and check your Device Manager. You should see something like this:

UC00B USB-UART on Device Manager
UC00B USB-UART on Device Manager


which indicated that the driver and the converter is detected by computer and the driver is properly installed.

Setting up network IP address
Assign a static IP address to the computer, using IP address 192.168.1.2 since the router IP address is 192.168.1.1. No need for Internet connection in this process.

REMEMBER! Ensure that you have disable you windows firewall. Or else, the next step will might not work.

Install OpenWRT from the U-Boot console
Download the latest OpenWRT firmware and save it to C:\Program Files\Tftpd32 (Tftpd32 default installation folder) as shown in figure below:

TFTPD
TFTPD


You also can click the “Show Dir” button and check if the file is there or not.

Run Putty, select Serial option, on Serial Line, I’m using COM3 since my USB-UART driver detected as COM3, for Speed option, I use 115200. Then click Open. Example like picture below:

Putty example for Serial COM3
Putty example for Serial COM3

After that, power up your MR3020. On Putty console, you should see something like this:

U-Boot 1.1.4 (Aug 17 2012 - 15:21:03)
.
AP121 (ar9330) U-boot
.
DRAM:  32 MB
led turning on for 1s...
id read 0x100000ff
flash size 4194304, sector count = 64
Flash:  4 MB
Using default environment
.
In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
: cfg1 0x5 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
ag7240_phy_setup
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
ag7240_phy_setup
eth1 up
eth0, eth1
Autobooting in 1 seconds

The moment after you see “Autobooting in 1 seconds“, type in word “tpl” immediately.

tpl
hornet>

If everything is correct, you should see “hornet>” in your console. if you missed it, close and open back your Putty, follow the instruction above until you see the word “hornet>

Now you are in U-Boot-console, as it shows “hornet>” on your console. Now enter the following commands:
setenv ipaddr is the MR3020 IP address,
setenv serverip is the computer IP address,

hornet> setenv ipaddr 192.168.1.1
hornet> setenv serverip 192.168.1.2

Then enter this command to download openwrt .bin file:

tftpboot 0x80000000 openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin

you should see something like this:

hornet> tftpboot 0x80000000 openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin
Using eth1 device
TFTP from server 192.168.1.2; our IP address is 192.168.1.1
Filename 'openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin'.
Load address: 0x80000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ######################################################
done
Bytes transferred = 3932160 (3c0000 hex)

Then enter this command to erase old firmware:

erase 0x9f020000 +0x3c0000

The output must be like this:

hornet> erase 0x9f020000 +0x3c0000
.
First 0x2 last 0x3d sector size 0x10000           61
Erased 60 sectors

Then enter this command to start flashing:

cp.b 0x80000000 0x9f020000 0x3c0000

And the output is:

hornet> cp.b 0x80000000 0x9f020000 0x3c0000
Copy to Flash... write addr: 9f020000
done

After that, lets try to boot to the new firmware:

bootm 9f020000

And the result is:

hornet> bootm 9f020000
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK
.
Starting kernel ...
### snip ###

And.. Thats it. You’ve recover you almost-dead MR3020 to life! πŸ™‚
The device new IP is at 192.168.1.1. Happy hacking!

Credit to this blog for this tutorial!

Wifi Pineapple Mark V MR3020 – Bypass verify_pineapple LED pattern

wrong pattern entered during verify pineapple.
wrong pattern entered during verify pineapple.

Recently, I have a cool weekend project to do at home. Kinda spending a good time with my gadgets. πŸ˜€ So I decided to install Wifi Pineapple Mark 5 version 2.2.0 on my TP-Link MR3020 version 1.9. Its a straight forward step and you can follow that tutorial on my personal wiki at wiki.khairulazam.net.

After the installation finished, you need to go through the pineapple security measure as a part of setting up pineapple for the first time.

You need to select the correct pattern on that page to match with the blinking LED on your device. But… you know why. because you installing the firmware on different hardware. LOL

So, if you also have and facing the same problem, its okay. With a help from Fikri Fadzil, lets bypass the pattern verification >_<

First, power off you device. After that, unplug the USB pendrive that contain pineapple firmware and plug in it to your computer. I use Ubuntu Desktop to make this step easier.

Go to this directory:

/media/a7ac8712-5a08-49da-b9e1-2ede31828bda/pineapple/includes/

* /media/a7ac8712-5a08-49da-b9e1-2ede31828bda/ may be different as yours. take note what your USB drive mounted on your OS.

And edit this file:

welcome.inc.php

Go to line 199. Or search for keyword “array_search” in this “welcome.inc.php” file.

Edit the code from this:

if (array_search($post['amber'], $action_array) == $current_state[0]
    &amp;&amp; array_search($post['blue'], $action_array) == $current_state[1]
    &amp;&amp; array_search($post['red'], $action_array) == $current_state[2]
) {
    $_SESSION['verified'] = true;
    return passwordForm();
  }

to this:

if (true)
{
    $_SESSION['verified'] = true;
    return passwordForm();
}

Save this code. Unmount/eject your USB pendrive and plug in on your MR3020 back.

After that, just power on your device, and try to go through the verify pattern step back again. At this time, it will accept any pattern you like.

Then proceed to the next step. Happy hacking! πŸ™‚

TL-MR3020 Failsafe Mode (OpenWrt)

Failsafe Mode
– Set your computer’s IP to 192.168.1.2, subnet 255.255.255.0
– Connect the TL-MR3020 to your computer via ethernet
– Power on the TL-MR3020
– When the WPS Button starts to blink , push it until it blinks faster
– The device is now in Failsafe-Mode
– You may access it by using telnet 192.168.1.1

In failsafe mode
The root file system in failsafe mode is the only the SquashFS partition. The JFFS2 is not present. To mount JFFS2 in read-write mode run this command:
– mount_root

and then repair your system:
– In case you forgot your password, you need to set a new one. Type:
passwd

– In case you filled up the entire JFFS2 by installing too big/too many packages, clean the entire JFFS2 partition. All settings will be reset and all installed packages are removed. (OpenWrt equivalent of a factory reset)
firstboot

or (this will reboot the device as part of the process)
mtd -r erase rootfs_data

or
rm -r /overlay/*

If you are done with failsafe mode use
– reboot -f