Some time ago I was looking for some access points that ought to replace the existing one. I wanted to extend the reach of my WLAN and provide more capacity for the increasing demand of devices. All of course at reasonable costs.
I came across the devices from TP-Link which seem to provide exactly what I was looking for: 300 Mbps wireless N access points only (no unneeded features) at low costs. The models TL-WA801ND and TL-WA901ND (the ‘D‘ means they have detachable antennas) were the ones I was choosing between. Comparing the specifications it seems as if the only difference is an additional third antenna for the TL-WA901ND. Besides that they seem to be identical while the TL-WA901ND costs roughly 50% more than the TL-WA801ND.
I decided for the cheaper TL-WA801ND and ordered three of them and when I received them it turns out that they are v2 models.
A lot of TP-Link devices are covered by the OpenWRT project which gives you the freedom to customize devices within the limits the hardware provides. Unfortunately the TL-WA801ND is not amongst the listed devices and trying to flash a OpenWRT of a similar devices fails as the stock firmware checks it prior allowing to flash it.
Not a dead-end and maybe just some reconnaissance is required. So I started by unboxing the device and analyzing the findings.
From the above picture you can see that the board does not contain that much components. No surprise for a device at that price. The larger IC (TSOPII-66 package) seems to be a DRAM while the smaller one (164-pin LPCC package) is a Atheros SoC. Further research showed that I was right and the large IC is in fact a DRAM (A3S56D40FTP-G5I, 256 Mb manufactured by Zentel). The SOP-8 in the upper left turned out to be a S25FL032A/P (32-Mbit Flash Memory with SPI) from Spansion. It was very likely that the board is also having a UART port somewhere and an unpopulated area on the left side labeled JP1 draws my attention. You can see in more detail in the picture below.
Equipped with a DMM and a DSO I began with that jumper area. Bingo! It was too obvious and similar headers have been documented on the OpenWRT site. The result is as follows:
Next step was to populate JP1 by soldering an appropriate pinheader to it.
Afterwards I connected a USB-to-TTL serial cable to it (note that this port is using 3.3V levels!) and powered on the device awaiting more valuable information. The boot log was revealing:
U-Boot 1.1.4 (May 24 2012 - 19:13:20) U-boot AP123 DRAM: 32 MB id read 0x100000ff Flash: 4 MB Using default environment In: serial Out: serial Err: serial Net: ag934x_enet_initialize... wasp reset mask:c03300 WASP ----> S27 PHY GMAC: cfg1 0x5 cfg2 0x7114 eth0: ba:be:fa:ce:08:41 s27 reg init athrs27_phy_setup ATHR_PHY_CONTROL 4: 0x1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4: 0x10 eth0 up WASP ----> S27 PHY GMAC: cfg1 0xf cfg2 0x7214 eth1: ba:be:fa:ce:08:41 s27 reg init lan ATHRS27: resetting s27 ATHRS27: s27 reset done athrs27_phy_setup ATHR_PHY_CONTROL 0: 0x1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0: 0x10 athrs27_phy_setup ATHR_PHY_CONTROL 1: 0x1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1: 0x10 athrs27_phy_setup ATHR_PHY_CONTROL 2: 0x1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2: 0x10 athrs27_phy_setup ATHR_PHY_CONTROL 3: 0x1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3: 0x10 eth1 up eth0, eth1 Autobooting in 1 seconds ## Booting image at 9f020000 ... Uncompressing Kernel Image ... OK Starting kernel ... Booting Atheros AR934x Linux version 2.6.31--LSDK-9.2.0_U5.508 (zhongjin@rd3linux.tplink) (gcc version 4.3.3 (GCC) ) #55 Thu May 24 19:18:11 CST 2012 flash_size passed from bootloader = 4 Ram size passed from bootloader =33554432 CPU revision is: 0001974c (MIPS 74Kc) ath_sys_frequency: cpu srif ddr srif cpu 535 ddr 400 ahb 200 Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: console=ttyS0,115200 root=31:2 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1024k(kernel),2816k(rootfs),64k(config),64k(art) mem=32M PID hash table entries: 128 (order: 7, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 30132k/32768k available (1722k kernel code, 2636k reserved, 426k data, 112k init, 0k highmem) NR_IRQS:128 plat_time_init: plat time init done Calibrating delay loop... 267.26 BogoMIPS (lpj=534528) Mount-cache hash table entries: 512 NET: Registered protocol family 16 bio: create slab at 0 usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered NET: Registered protocol family 1 ATH GPIOC major 0 squashfs: version 4.0 (2009/01/31) Phillip Lougher msgmni has been set to 58 io scheduler noop registered io scheduler deadline registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A console [ttyS0] enabled PPP generic driver version 2.4.2 NET: Registered protocol family 24 5 cmdlinepart partitions found on MTD device ath-nor0 Creating 5 MTD partitions on "ath-nor0": 0x000000000000-0x000000020000 : "u-boot" 0x000000020000-0x000000120000 : "kernel" 0x000000120000-0x0000003e0000 : "rootfs" 0x0000003e0000-0x0000003f0000 : "config" 0x0000003f0000-0x000000400000 : "art" ->Oops: flash id 0x1c3016 . ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Port Status 1c000004 ath-ehci ath-ehci.0: ATH EHCI ath-ehci ath-ehci.0: new USB bus registered, assigned bus number 1 ehci_reset Intialize USB CONTROLLER in host mode: 13 ehci_reset Port Status 1c000000 ath-ehci ath-ehci.0: irq 3, io mem 0x1b000000 ehci_reset Intialize USB CONTROLLER in host mode: 13 ehci_reset Port Status 1c000000 ath-ehci ath-ehci.0: USB 2.0 started, EHCI 1.00 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected TCP cubic registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> athwdt_init: Registering WDT success ath_otp_init: Registering OTP success ath_clksw_init: Registering Clock Switch Interface success VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 112k freed init started: BusyBox v1.01 (2012.02.08-01:42+0000) multi-call binary This Board use 2.6.31 xt_time: kernel timezone is -0000 nf_conntrack version 0.5.0 (512 buckets, 5120 max) ip_tables: (C) 2000-2006 Netfilter Core Team insmod: cannot open module `/lib/modules/2.6.31/kernel/iptable_raw.ko': No such file or directory insmod: cannot open module `/lib/modules/2.6.31/kernel/flashid.ko': No such file or directory PPPoL2TP kernel driver, V1.0 PPTP driver version 0.8.3 insmod: cannot open module `/lib/modules/2.6.31/kernel/harmony.ko': No such file or directory (none) mips #55 Thu May 24 19:18:11 CST 2012 (none) (none) login: Now flash open!
The facts in brief:
- 32 MB DRAM
- 4 MB Flash
- obviously a Atheros AR934x SoC (the labeling on the chip says AR9341)
- 535 MHz CPU speed
Promising for the idea of getting OpenWRT onto it. Using a search engine of choice I found some passwords for the root user on TP-Link devices. Hopefully ones of these will work and saves me from finding it on my own. One did: 5up. I was in and able to find out more:
TL-WA801N login: root Password: Jan 1 00:00:41 login[211]: root login on `ttyS0' BusyBox v1.01 (2012.02.08-01:42+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # "Password for root is 5up" # cat /proc/meminfo MemTotal: 30244 kB MemFree: 12628 kB Buffers: 2128 kB Cached: 6704 kB SwapCached: 0 kB Active: 3628 kB Inactive: 7052 kB Active(anon): 1848 kB Inactive(anon): 0 kB Active(file): 1780 kB Inactive(file): 7052 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 1868 kB Mapped: 1700 kB Slab: 4204 kB SReclaimable: 324 kB SUnreclaim: 3880 kB PageTables: 148 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 15120 kB Committed_AS: 4148 kB VmallocTotal: 1048404 kB VmallocUsed: 2296 kB VmallocChunk: 1038248 kB # cat /proc/cpuinfo system type: Atheros AR934x processor: 0 cpu model: MIPS 74Kc V4.12 BogoMIPS: 267.26 wait instruction: yes microsecond timers: yes tlb_entries: 32 extra interrupt vector: yes hardware watchpoint: yes, count: 4, address/irw mask: [0x0ff8, 0x030c, 0x0050, 0x0620] ASEs implemented: mips16 dsp shadow register sets: 1 core: 0 VCED exceptions: not available VCEI exceptions: not available # cat /proc/partitions major minor #blocks name 31 0 128 mtdblock0 31 1 1024 mtdblock1 31 2 2816 mtdblock2 31 3 64 mtdblock3 31 4 64 mtdblock4 #
Obviously some features of the AR934x remain unused:
- the integrated ethernet switch
- the USB 2.0 interface
Seems as if a board using all interfaces exists and is sold by TP-Link as TL-WR841-V8.
All required information was available now. Now the more time-consuming part: creating a working OpenWRT image for this devices.
TasksOfOhm 
First of all, thank you so much for your post, it is the only one about this model of TP-Link I found on the web.
Can you tell me if it is possible to connect directly a raspberry pi to the TP-Link via serial line? It also works with 3.3 V. Do I also have to connect the 3.3V Pin from Raspberry to the one of TP-Link?
I have a bricked model here and hoped to get some informations on it … but all I can see is a mess of special characters, not reading one sense making word :-( I used minicom Version 2.6.1 to establish the serial connection.
Baudrate-Settings are as follows: 115200, 8-N-1, hardware & software control off
BTW; After switching on the TP-Link, all LED light on for abt. 1 sec, afterwards, Power-LED is always on, the other 4 LEDs are blinking slow all at the same time. It has been bricked with an OpenWRT-Software installed, trying to reinstall the original firmware via console.
In any case do not connect the 3.3V pin. Have you tried to lower the baudrate?
Yes, I tried any baudrate between 300 baud and 115k2 :-( no success!
I’m in the same exact situation of Rainer,
tl-wa801nd v2 with power led always on and the other leds blinking together
It’s happened when I reinstalled original firmware
Now, I got a usb to serial cable to connect to uart, but I’m very newbie, how can I do to see if boot works???
Ok. Get a bit clearer now. If you reinstalled original firmware without prior adjustments (see “Reverting a TP-Link TL-WA801ND from OpenWRT back to stock firmware” on this blog) it is very likely that flashed an unbootable filesystem.
Anyway right now finally I figured out how starting with Hyperterminal and finally I can see
U-Boot 1.1.4 (Jan 21 2013 – 19:03:42) … etc…etc…
It was two days I was getting just garbled characters opening Hyperterminal or Putty
Good to hear. But if your device is still not booting you will face the problem that TFTP is not working in that bootloader version…see “Unbricking a TP-Link TL-WA801ND v2” on this blog
EXACT!!!!
I’ve just read (in part 2) another user downgraded to former bootloader…..
I downloaded that bootloder but how can I downgrade it?
Read “Unbricking a TP-Link TL-WA801ND v2” on this blog
Hi,
I tried to flash my 801NDv2 with your latest bin on dropbox (openwrt-ar71xx-generic-tl-wa801nd-v2-squashfs-factory r41150.bin). Flasing worked. If I try to open the WebGUI on 192.168.1.1 I’ll get an error:
/usr/lib/lua/luci/dispatcher.lua:211: /etc/config/luci seems to be corrupt, unable to find section ‘main’
stack traceback:
[C]: in function ‘assert’
/usr/lib/lua/luci/dispatcher.lua:211: in function ‘dispatch’
/usr/lib/lua/luci/dispatcher.lua:195: in function
Can you tell me what to do?
BR
In the beginning a general remark: Before I upload the firmware images into my Dropbox I have installed them on my devices. I.e. they should basically work. As you receive an error message from the device it seems as if it’s still reachable. Have you tried to use an older image? Another option would be to reinstall luci from the command line. The device is still accessible via SSH?
EDIT:
Same here. You receive that error under System->Software, right? I just uploaded a new version (r41302) which fixed it at least for my devices.
Thxs for your reply. I get the error when I access 192.168.1.1 via bowser. So no GUI Access. I tried to connect via putty. Connection can be established,
but password admin for user root does not work.
Hi, do. you have a User/Pwd combination to revive the Router?
BR
Sounds like you’ve got an unconfigured device, i.e. there’s no password set at all. One option would be to connect to the UART and fix the configuration from the console.
Hi, as mentioned I can access the router via putty. But he wants a user with password. root/admin does not work. Which user/password comibination should work? I am not aware on fixinig it via UART. Do you have a hint/link/manual for this?
User root along with the password you’ve set before (if set at all) should be the correct login. Using the UART is described on this blog. Look in part 1 or in the unbricking page.
hi, in the meanwhile i can connect via telnet and ssh – i used wget to transfer the origiinal firmware to the router (/tmp). i tried recommendation i googled to flash over telnet (tftp seems not to work because firmware is there, only the webgui does not work – so the router seems not to come in the tftp receiving mode). But neither the command erase (for nvram) nor write are recognized by the console. do you have any futher idea how to revive the router?
What if you try to uninstall luci and install luci again via opkg?
hi, one step further. I uninstalled luci with “opkg remove -recursive luci-*”. After that i entered “opkg update” followed by “opkg install luci”. it start giving me at the end errors “No space left on device”. This is the current situation:
Filesystem Size Used Available Use% Mounted on
rootfs 768.0K 704.0K 64.0K 92% /
/dev/root 2.3M 2.3M 0 100% /rom
tmpfs 14.3M 564.0K 13.7M 4% /tmp
/dev/mtdblock3 768.0K 704.0K 64.0K 92% /overlay
overlayfs:/overlay 768.0K 704.0K 64.0K 92% /
tmpfs 512.0K 0 512.0K 0% /dev
Is it possible to flash original FW with Telnet/SSH?
Finally – i got back to original TP-LINK FW with mtd (but I had to use the oldest one – the most recent endet up in “[e]Failed to erase block” – Thxs for your patient support.