U-Boot mod for routers with AR9331

Introduction

There exists a modification to the bootloader of certain routers that makes it essentially

unbrickable. This modification adds a Web Gui to the bootloader that is selectable during router

bootup. From this Gui you can upload a new firmware image to the router even if the current

image does not work.

This allows you to recover from a bad image or a situation that, in normal circumstances, would

require a serial connection to the router.

The project that created this modification is located at https://github.com/pepe2k/u-boot_mod

and an OpenWRT thread about it is at https://forum.openwrt.org/viewtopic.php?id=43237

In this tutorial we will show you how to make the modifications to the bootloader using a

special version of OpenWRT and using an Ethernet connection.

The routers that can have this modification done to them :

Make Model

DLink Dir505A1

TP-Link MR10Uv1

MR13Uv1

MR3020v1

MR3040v1 and v2

MR3220v2

MR3600/4300/4310

WR703N

WR710Nv1

WR720Nv3

WR740Nv4/741Nv4

Background

A router uses a special type of memory to hold the programs and data needed for it to run. This

is called Flash or Nonvolatile (NV) memory. This memory can be written to and read from and

will retain its contents even when the power is removed. It is very similar to the memory in a

USB memory stick.

This memory is laid out in sections, with each section containing different parts of the routers

programs and data. One section, called the u-boot section, contains the program, and its data,

which is run when the router is first powered up.

This is the same as a computers BIOS and it initializes the hardware and prepares things so the

actual router firmware can be executed.

It is possible to upgrade this program to add new features which are not present in the factory

bootloader. That was the purpose of the U-Boot Project. The most valuable addition it made to

the bootloader program is a Web Gui that you can activate, using the routers reset button,

during the router boot process. Other features were also added but wont be looked at here.

To upgrade the bootloader we must simply change the program that is held in the u-boot

section of the Flash memory. We do this by overwriting the program currently in that section.

Warning

It is possible to brick your router doing this to the point that a special chip programmer is

needed to recover it.

Take care to follow every step in the procedure to ensure that this does not happen.

The procedure shown here was carried out on a TP-Link WR703Nv1.7 without issue but

The author of this text, and the presented version of U-Boot is not liable for any adverse effects

resulting from the application to on this website instructions, inability to upload or software

errors in the reporting software. The author has made every effort and tested the software

presented on these later in the devices, but does not guarantee that it will work properly on your

device.

What's more, you have been warned that the replacement of the Software U-Boot is a highly

dangerous operation and in the event of failure, your device will no longer start, and the only

way to restore it to operation of the program will flash with an external programmer.

All operations performed on the basis of the information contained therein are doing at your own

risk!

Requirements

Several programs are required in order to make the modifications to the bootloader. None of

these require great skill and should be within the reach of the average user.

The three programs needed are WinSCP, Putty and HxD.

WinSCP and Putty are used to access the Flash memory of the router and downloads and a

tutorial on their use can be found at http://www.ofmodemsandmen.com/winscp.html

HxD is a freeware Hex Editor and the program is included with this package in the Hex Editor

folder. Run the program in that folder and install HxD on your computer.

Flashing the Router

In order to to modify the u-boot section of memory it is necessary to flash the router with a

special version of OpenWRT. The reason for this is that, in normal OpenWRT, the u-boot

memory section is read-only and cannot be modified. This special image removes that

restriction.

Open the Routers folder in this package and look in the folder that matches your router model.

In that folder you will find a file named openwrt-special-xxxxxx.bin that is the special version of

OpenWRT needed for this procedure.

Flash your router with this image using the normal methods. Go to the routers web interface

and set the router password so that it is possible to use Putty and WinSCP with the router.

Updating the Bootloader

Because the u-boot section of Flash memory contains both the bootloader and data specific to

your router we cannot just write the new bootloader program to it.

Instead, we must extract the entire u-boot section, modify the program part of the resulting file

and then write it back to the Flash memory again. This will preserve the router specific data

that is contained in that memory section. It also allows us to back up the old bootloader in case

we wish to revert back to it at a future date.

Extracting the U-Boot memory Section

The first step required is to extract the entire u-boot memory section and place it in a file which

can be copied from the router to our computer.

To do this we will use Putty and WinSCP.

Use Putty to log in to the command line of the router, using the password you set previously.

To find out which memory section contains the bootloader, enter the following command.

cat /proc/mtd

You will get something like the following as a response.

dev: size erasesize name

mtd0: 00020000 00010000 "u-boot" mtd1: 000feba0 00010000 "kernel"

mtd2: 002d1460 00010000 "rootfs" mtd3: 00100000 00010000 "rootfs_data" mtd4: 00010000 00010000 "art"

mtd5: 003d0000 00010000 "firmware"

We are interested in the section named u-boot and need to know which dev it is. In this

case, and in most (all?) cases, the dev will be mtd0.

Now that we know the dev enter the following at the command line.

cat /dev/mtd0 > /tmp/uboot_backup.bin

If your u-boot section is a different dev then replace the mtd0 with the correct one.

This extracts the u-boot memory section and places it in a file called uboot_backup.bin in the

routers /tmp folder.

Now use WinSCP to copy that file from the /tmp folder to a folder on your computer. You have

successfully extracted the U-Boot Memory section from the router.

Update the Bootloader

Before proceeding any further copy the uboot_backup.bin file to a safe location on your

computer just in case you wish to restore the original bootloader or you make a mistake

modifying it.

In this package, go to the Routers folder and, in the folder that matches your router model,

copy the uboot_for_xxxx.bin file to the same folder as the uboot_backup.bin file.

Run the HxD hex editor and open both of these files in it.

Select the uboot_for_xxxx.bin tab. Select all of the file using Ctrl-A and copy it using Ctrl-C. This

file is 64K in length.

Now, select the uboot_backup.bin tab and place the cursor at the first byte of the file. This file

is 128K in length.

Select Edit->Paste Write. The 64K bytes of the uboot_for_xxxx.bin file will replace the first 64K

bytes of the uboot_backup.bin file. This replaces the bootloader program in the file but leaves

the router specific data in the second 64K alone.

Select File->Save As and save the file as uboot_mod.bin.

You have now updated the bootloader file to the modified version.

Write the Bootloader

The last step is to write the modified bootloader file to the u-boot memory section on the

router.

Use WinSCP to copy the uboot_mod.bin file to the /tmp folder on the router.

Run Putty and go to the router command line with it. Type the following.

mtd r write /tmp/uboot_mod.bin u-boot

You will see this as a response if everything works.

Unlocking u-boot ... Writing from uboot_mod.bin to u-boot ...

The bootloader has been updated and you can now reboot your router.

Bootloader Web GUI

To access the Web GUI of the bootloader, unplug the routers power.

Hold in the routers reset button and plug the power back in.

The routers power light will flash and then start to blink once per second. Release the reset

button after 4 blinks (4 seconds). The power light will then blink rapidly for 2 seconds.

Use your browser to go to 192.168.1.1. You will see the following page.

Use the Browse button to select the firmware image you wish to flash to the router and the

Update Firmware button do the flashing.

Warning

No checking is done to see if the image you select is correct for the router. Be sure that you

select an image that is compatible with your router.

Conclusion

By modifying the router bootloader you have made it very difficult to brick your router. Even if

the image you flash to the router is faulty you can always activate the Bootloader Web Gui and

flash to a working image.

If the image you flashed refuses to start or crashes during execution the Bootloader Web Gui

should automatically start, giving you a chance to reflash and fix the problem. If it doesnt, you

can use the reset button to activate it.