Bringing OpenWRT to TL-WA801ND v2 (Part 1, Reconnaissance)


Some time ago I was looking for some access points that ought to replace the existing one. I wanted to extend the reach of my WLAN and provide more capacity for the increasing demand of devices. All of course at reasonable costs.

I came across the devices from TP-Link which seem to provide exactly what I was looking for: 300 Mbps wireless N access points only (no unneeded features) at low costs. The models TL-WA801ND and TL-WA901ND (the ‘D‘ means they have detachable antennas) were the ones I was choosing between. Comparing the specifications it seems as if the only difference is an additional third antenna for the TL-WA901ND. Besides that they seem to be identical while the TL-WA901ND costs roughly 50% more than the TL-WA801ND.

I decided for the cheaper TL-WA801ND and ordered three of them and when I received them it turns out that they are v2 models.

TL-WA901NDA lot of TP-Link devices are covered by the OpenWRT project which gives you the freedom to customize devices within the limits the hardware provides. Unfortunately the TL-WA801ND is not amongst the listed devices and trying to flash a OpenWRT of a similar devices fails as the stock firmware checks it prior allowing to flash it.

Not a dead-end and maybe just some reconnaissance is required. So I started by unboxing the device and analyzing the findings.

TL-WA901ND with open caseFrom the above picture you can see that the board does not contain that much components. No surprise for a device at that price. The larger IC (TSOPII-66 package) seems to be a DRAM while the smaller one (164-pin LPCC package) is a Atheros SoC. Further research showed that I was right and the large IC is in fact a DRAM (A3S56D40FTP-G5I, 256 Mb manufactured by Zentel). The SOP-8 in the upper left turned out to be a S25FL032A/P (32-Mbit Flash Memory with SPI) from Spansion. It was very likely that the board is also having a UART port somewhere and an unpopulated area on the left side labeled JP1 draws my attention. You can see in more detail in the picture below.

TL-WA901ND JP1 positionEquipped with a DMM and a DSO I began with that jumper area. Bingo! It was too obvious and similar headers have been documented on the OpenWRT site. The result is as follows:

TP-Link UART PortNext step was to populate JP1 by soldering an appropriate pinheader to it.

TL-WA901ND with soldered pinheaderAfterwards I connected a USB-to-TTL serial cable to it (note that this port is using 3.3V levels!) and powered on the device awaiting more valuable information. The boot log was revealing:

U-Boot 1.1.4 (May 24 2012 - 19:13:20)

U-boot AP123

DRAM:  32 MB
id read 0x100000ff
Flash:  4 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag934x_enet_initialize...
wasp reset mask:c03300
WASP ----> S27 PHY
GMAC: cfg1 0x5 cfg2 0x7114
eth0: ba:be:fa:ce:08:41
s27 reg init 
athrs27_phy_setup ATHR_PHY_CONTROL 4: 0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4: 0x10
eth0 up
WASP ----> S27 PHY
GMAC: cfg1 0xf cfg2 0x7214
eth1: ba:be:fa:ce:08:41
s27 reg init lan 
ATHRS27: resetting s27
ATHRS27: s27 reset done
athrs27_phy_setup ATHR_PHY_CONTROL 0: 0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0: 0x10
athrs27_phy_setup ATHR_PHY_CONTROL 1: 0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1: 0x10
athrs27_phy_setup ATHR_PHY_CONTROL 2: 0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2: 0x10
athrs27_phy_setup ATHR_PHY_CONTROL 3: 0x1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3: 0x10
eth1 up
eth0, eth1
Autobooting in 1 seconds
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK

Starting kernel ...

Booting Atheros AR934x

Linux version 2.6.31--LSDK-9.2.0_U5.508 (zhongjin@rd3linux.tplink) (gcc version 4.3.3 (GCC) ) #55 Thu May 24 19:18:11 CST 2012
flash_size passed from bootloader = 4
Ram size passed from bootloader =33554432
CPU revision is: 0001974c (MIPS 74Kc)
ath_sys_frequency: cpu srif ddr srif cpu 535 ddr 400 ahb 200
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS0,115200 root=31:2 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1024k(kernel),2816k(rootfs),64k(config),64k(art) mem=32M
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 30132k/32768k available (1722k kernel code, 2636k reserved, 426k data, 112k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 267.26 BogoMIPS (lpj=534528)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab  at 0
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 58
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
PPP generic driver version 2.4.2
NET: Registered protocol family 24
5 cmdlinepart partitions found on MTD device ath-nor0
Creating 5 MTD partitions on "ath-nor0":
0x000000000000-0x000000020000 : "u-boot"
0x000000020000-0x000000120000 : "kernel"
0x000000120000-0x0000003e0000 : "rootfs"
0x0000003e0000-0x0000003f0000 : "config"
0x0000003f0000-0x000000400000 : "art"
->Oops: flash id 0x1c3016 . 
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Port Status 1c000004 
ath-ehci ath-ehci.0: ATH EHCI
ath-ehci ath-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000 
ath-ehci ath-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000 
ath-ehci ath-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
TCP cubic registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
athwdt_init: Registering WDT success
ath_otp_init: Registering OTP success
ath_clksw_init: Registering Clock Switch Interface success
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 112k freed

init started:  BusyBox v1.01 (2012.02.08-01:42+0000) multi-call binary
This Board use 2.6.31
xt_time: kernel timezone is -0000
nf_conntrack version 0.5.0 (512 buckets, 5120 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
insmod: cannot open module `/lib/modules/2.6.31/kernel/iptable_raw.ko': No such file or directory
insmod: cannot open module `/lib/modules/2.6.31/kernel/flashid.ko': No such file or directory
PPPoL2TP kernel driver, V1.0
PPTP driver version 0.8.3
insmod: cannot open module `/lib/modules/2.6.31/kernel/harmony.ko': No such file or directory

 (none) mips #55 Thu May 24 19:18:11 CST 2012 (none)

(none) login: Now flash open!

The facts in brief:

  • 32 MB DRAM
  • 4 MB Flash
  • obviously a Atheros AR934x SoC (the labeling on the chip says AR9341)
  • 535 MHz CPU speed

Promising for the idea of getting OpenWRT onto it. Using a search engine of choice I found some passwords for the root user on TP-Link devices. Hopefully ones of these will work and saves me from finding it on my own. One did: 5up. I was in and able to find out more:

TL-WA801N login: root
Password: 
Jan  1 00:00:41 login[211]: root login  on `ttyS0'

BusyBox v1.01 (2012.02.08-01:42+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# "Password for root is 5up"

# cat /proc/meminfo 
MemTotal:          30244 kB
MemFree:           12628 kB
Buffers:            2128 kB
Cached:             6704 kB
SwapCached:            0 kB
Active:             3628 kB
Inactive:           7052 kB
Active(anon):       1848 kB
Inactive(anon):        0 kB
Active(file):       1780 kB
Inactive(file):     7052 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          1868 kB
Mapped:             1700 kB
Slab:               4204 kB
SReclaimable:        324 kB
SUnreclaim:         3880 kB
PageTables:          148 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       15120 kB
Committed_AS:       4148 kB
VmallocTotal:    1048404 kB
VmallocUsed:        2296 kB
VmallocChunk:    1038248 kB

# cat /proc/cpuinfo 
system type: Atheros AR934x
processor: 0
cpu model: MIPS 74Kc V4.12
BogoMIPS: 267.26
wait instruction: yes
microsecond timers: yes
tlb_entries: 32
extra interrupt vector: yes
hardware watchpoint: yes, count: 4, address/irw mask: [0x0ff8, 0x030c, 0x0050, 0x0620]
ASEs implemented: mips16 dsp
shadow register sets: 1
core: 0
VCED exceptions: not available
VCEI exceptions: not available

# cat /proc/partitions 
major minor  #blocks  name

  31        0        128 mtdblock0
  31        1       1024 mtdblock1
  31        2       2816 mtdblock2
  31        3         64 mtdblock3
  31        4         64 mtdblock4
#

Obviously some features of the AR934x remain unused:

  • the integrated ethernet switch
  • the USB 2.0 interface

Seems as if a board using all interfaces exists and is sold by TP-Link as TL-WR841-V8.

All required information was available now. Now the more time-consuming part: creating a working OpenWRT image for this devices.

Proceed to the next part

Advertisements

21 thoughts on “Bringing OpenWRT to TL-WA801ND v2 (Part 1, Reconnaissance)”

  1. First of all, thank you so much for your post, it is the only one about this model of TP-Link I found on the web.
    Can you tell me if it is possible to connect directly a raspberry pi to the TP-Link via serial line? It also works with 3.3 V. Do I also have to connect the 3.3V Pin from Raspberry to the one of TP-Link?
    I have a bricked model here and hoped to get some informations on it … but all I can see is a mess of special characters, not reading one sense making word :-( I used minicom Version 2.6.1 to establish the serial connection.
    Baudrate-Settings are as follows: 115200, 8-N-1, hardware & software control off
    BTW; After switching on the TP-Link, all LED light on for abt. 1 sec, afterwards, Power-LED is always on, the other 4 LEDs are blinking slow all at the same time. It has been bricked with an OpenWRT-Software installed, trying to reinstall the original firmware via console.

    1. I’m in the same exact situation of Rainer,

      tl-wa801nd v2 with power led always on and the other leds blinking together

      It’s happened when I reinstalled original firmware

      Now, I got a usb to serial cable to connect to uart, but I’m very newbie, how can I do to see if boot works???

      1. Ok. Get a bit clearer now. If you reinstalled original firmware without prior adjustments (see “Reverting a TP-Link TL-WA801ND from OpenWRT back to stock firmware” on this blog) it is very likely that flashed an unbootable filesystem.

      2. Anyway right now finally I figured out how starting with Hyperterminal and finally I can see
        U-Boot 1.1.4 (Jan 21 2013 – 19:03:42) … etc…etc…

        It was two days I was getting just garbled characters opening Hyperterminal or Putty

      3. Good to hear. But if your device is still not booting you will face the problem that TFTP is not working in that bootloader version…see “Unbricking a TP-Link TL-WA801ND v2” on this blog

  2. I’ve just read (in part 2) another user downgraded to former bootloader…..

    I downloaded that bootloder but how can I downgrade it?

  3. Hi,

    I tried to flash my 801NDv2 with your latest bin on dropbox (openwrt-ar71xx-generic-tl-wa801nd-v2-squashfs-factory r41150.bin). Flasing worked. If I try to open the WebGUI on 192.168.1.1 I’ll get an error:

    /usr/lib/lua/luci/dispatcher.lua:211: /etc/config/luci seems to be corrupt, unable to find section ‘main’
    stack traceback:
    [C]: in function ‘assert’
    /usr/lib/lua/luci/dispatcher.lua:211: in function ‘dispatch’
    /usr/lib/lua/luci/dispatcher.lua:195: in function

    Can you tell me what to do?

    BR

    1. In the beginning a general remark: Before I upload the firmware images into my Dropbox I have installed them on my devices. I.e. they should basically work. As you receive an error message from the device it seems as if it’s still reachable. Have you tried to use an older image? Another option would be to reinstall luci from the command line. The device is still accessible via SSH?

      EDIT:
      Same here. You receive that error under System->Software, right? I just uploaded a new version (r41302) which fixed it at least for my devices.

      1. Thxs for your reply. I get the error when I access 192.168.1.1 via bowser. So no GUI Access. I tried to connect via putty. Connection can be established,
        but password admin for user root does not work.

      2. Sounds like you’ve got an unconfigured device, i.e. there’s no password set at all. One option would be to connect to the UART and fix the configuration from the console.

      3. Hi, as mentioned I can access the router via putty. But he wants a user with password. root/admin does not work. Which user/password comibination should work? I am not aware on fixinig it via UART. Do you have a hint/link/manual for this?

      4. User root along with the password you’ve set before (if set at all) should be the correct login. Using the UART is described on this blog. Look in part 1 or in the unbricking page.

      5. hi, in the meanwhile i can connect via telnet and ssh – i used wget to transfer the origiinal firmware to the router (/tmp). i tried recommendation i googled to flash over telnet (tftp seems not to work because firmware is there, only the webgui does not work – so the router seems not to come in the tftp receiving mode). But neither the command erase (for nvram) nor write are recognized by the console. do you have any futher idea how to revive the router?

    2. hi, one step further. I uninstalled luci with “opkg remove -recursive luci-*”. After that i entered “opkg update” followed by “opkg install luci”. it start giving me at the end errors “No space left on device”. This is the current situation:
      Filesystem Size Used Available Use% Mounted on
      rootfs 768.0K 704.0K 64.0K 92% /
      /dev/root 2.3M 2.3M 0 100% /rom
      tmpfs 14.3M 564.0K 13.7M 4% /tmp
      /dev/mtdblock3 768.0K 704.0K 64.0K 92% /overlay
      overlayfs:/overlay 768.0K 704.0K 64.0K 92% /
      tmpfs 512.0K 0 512.0K 0% /dev

      Is it possible to flash original FW with Telnet/SSH?

      1. Finally – i got back to original TP-LINK FW with mtd (but I had to use the oldest one – the most recent endet up in “[e]Failed to erase block” – Thxs for your patient support.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s