Initial flashing for TPLink TL-WDR3600

Eugene Grosbein eugen at grosbein.net
Wed Oct 28 18:19:35 UTC 2015 

On 09.10.2015 00:39, Eugene Grosbein wrote:

> About reflashing.
> 
> I've just built tl-wdr3600.factory.bin using HEAD sources and instructions at
> https://github.com/freebsd/freebsd-wifi-build/wiki/TPLink-TL-WDR3600
> 
> My device has "TFTP auto recovery" described at
> http://wiki.openwrt.org/toh/tp-link/tl-wdr3600#tftp_auto_recovery_in_revision_15
> 
> It sends tftp RRQ "wdr3600v1_tp_recovery.bin" just like that article says.
> Is it possible to reflash the device to FreeBSD using this tftp method?
> 
> I have no TTL cable handy yet. And, more important, I want to discover easy reflashing method
> that does not require making cable and opening/soldering device
> so that I could recommend it to others in local community and "lower the wall" for FreeBSD/mips.

Answering to myself.

There is reliable way to flash FreeBSD image to TPLink TL-WDR3600 having stock firmware
without need to open case and use/solder TTL cable or use intermediate firmwares like OpenWRT.
I've tested it and it works.

1. Upgrade stock firmware to its latest version using official TP-Link site and instructions.
This gives you "TFTP auto recovery" feature. That is, U-Boot 1.1.4 with TFTP client.

The page is http://www.tplink.com/en/download/TL-WDR3600_V1.html#Firmware
and the archive is http://www.tplink.com/res/down/soft/TL-WDR3600_V1_150518.zip
containing "wdr3600v1_en_3_14_3_up_boot(150518).bin" file.

Important part is its length 8192512 bytes (16001*512) and word "boot" in its name
indicating that it has U-Boot embedded.

You can use that image or localized one. I've tested with above file
and with wdr3600v1_ru_3_14_3_up_boot(150605).bin having same size, both work.

2. Get first 257 blocks (512 bytes each) from stock firmware:

# dd if='wdr3600v1_en_3_14_3_up_boot(150518).bin' bs=512 count=257 of=recovery-header.bin 
257+0 records in
257+0 records out
131584 bytes transferred in 0.000705 secs (186642982 bytes/sec)

You get different contents for different source images (english or localized),
it works anyway.

3. Build FreeBSD image as Adrian's wiki tells.

4. Now you need to prepend FreeBSD image with recovery-header.bin and
pad it with anything up to same 8192512 bytes length. Zero padding works just fine
despite of stock image being padded with 0xff bytes:

size=$(stat -f '%z' freebsd.img)
padsize=$(( 8192512-($size+131584) ))
dd if=/dev/zero bs=$padsize count=1 | cat recovery-header.bin freebsd.img - > wdr3600v1_tp_recovery.bin

5. Now just follow standard stock procedure for firmware recovery:
- setup tftp server using address 192.168.0.66/24 having wdr3600v1_tp_recovery.bin;
- connect TL-WDR3600 to tftp server using LAN port;
its U-Boot uses address 192.168.0.86/24 for recovery purpose;
- turn the device off, press and hold WPS button and turn it on
holding WPS button for about 5 seconds until LAN activity LED starts to bink;
you may release the button after that
- it should download wdr3600v1_tp_recovery.bin from tftp server, flash it and reboot;
give it some time to finish re-flashing and it resets automatically
blinking all LEDs and boots FreeBSD.

Credits to Leon George and his following post to OpenWrt-Devel list:
https://mail-archive.com/openwrt-devel%40lists.openwrt.org/msg32888.html

Have fun!

More information about the freebsd-mips mailing list