TP-Link begins router firmware lockdown due to FCC proposed regulation

[Matthias Strubel]

https://news.ycombinator.com/item?id=11122966

(formatted quote)

Thanks for your waiting, right now only these products has limitation on
firmware:

 Archer C7 V2 
 Archer C1900 V1 
 Touch P5 V1 
 Archer C2600 V1 
 Archer C3200 V1 
 Archer C2 V1 
 Archer C5 V2 
 Archer C8 V1 
 Archer C9 V1 
 TL-WR841N V11 
 TL-WDR3500 V1 
 TL-WR940N V3.0
 TL-WR1043ND V3.0
 TL-WR710N(USA)
 TL-WR841N V9.0
and all products will also limite firmware in the future.

There, the mess with the new FCC rules begins.

best regards

Matthias

[Jason Griffey]

Update: According to this story about the locking:

http://www.myce.com/news/tp-link-has-started-to-lock-its-routers-to-prevent-installing-dd-wrt-78623/

only routers with 5GhZ signals are going to be locked down, 2.4Ghz only routers will be unaffected, which means the "standard" LibraryBox builds (MR3040, MR3020) will hopefully remain possible.

If not, there's always the gl-iNet routers. :-)

Jason

--
You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/CAAuLk%2BGRgFasLZth47OJABubNowNLzzKe6Y6nWK2cq5Da-jqCg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Matthias Strubel]

Thanks for the update, but I'm not quite sure if the 5Ghz story is true. At least the 841nd is 2.5ghz only: http://www.tp-link.com/lk/products/details/cat-9_TL-WR841ND.html

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/CA%2BUAGrM6C5LfPJAMwqUqgo1vp8zN0JoiL7Xt8k1F5bkc9H6-Pg%40mail.gmail.com.

[Jason Griffey]

I agree, I haven't found verification of the 2.4 thing, but it's the first ray of hope I've had since the initial reports. So I'm hoping!

I'm going to keep digging.

Jason

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/3A559FD2-92FC-4EBA-BFFC-F9D75DCCCF15%40googlemail.com.

[Matthias Strubel]

I found a tweet that the EU devices are currently not affected. 

I want to stress my added word *currently*.

Regional specific firmware becomes expensive- only a matter of time until it will be normalized. 

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/CA%2BUAGrODcG54EU8NXXFiJ-6RZYNp%3DoZcQQ0j_gp-7_UUyLdbKA%40mail.gmail.com.

[GeoDirk]

I just know that the latest batch of 703N's that I got from China have the new 1.7 version of the firmware.  Those devices are locked out.  If anyone plans on using that router, make sure that you get the older 1.6 firmware otherwise you are locked out.  :-(

GeoDirk

[Matthias Strubel]

Hi GeoDirk,

on my information, the v1.7 was working, so I would expect a v1.8 as not working.

Can you find a kind of manufacturing date- somewhere?

Matthias

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/f8dd4e13-e39d-4bb0-8234-606b82f8033b%40googlegroups.com.

[GeoDirk]

Hi Matthias,

I've opened up both the 1.6 and 1.7 boxes and took some photos of the inside and outside of them:

version 1.6 (left) and 1.7 (right)

version 1.6 (left) and 1.7 (right)

Back side: version 1.6 (left) and 1.7 (right)

Other than the small sticker on the LAN port and the different memory chip used, there doesn't seem to be any difference between the two boards.  The box labels are clearly different with the 1.7 version boldly printed on the outside.

On the Chinese web interface side, other than the initial login (which uses a username/password combo of 'admin1' on the 1.7 version), there isn't much change:

version 1.6

version 1.7

Obviously the version numbers on the above web pages have changed as well:

1.6 Router: 3.12.11 Build 110926 Rel 40632n

1.7 Router: 3.17.1 Build 140120 Rel 56593n

Using the latest 703n firmware download from this site and trying to upload it into the 1.7 router, I get this error message:

Which when I post that Chinese into Bing Translate, I get this:

Which say, "Errors   Error code: 18005   Uploaded does not match the file versions and models.".  That certainly sounds like the 1.7 version of the 703n router has been locked down.

[GeoDirk]

Sorry, that second image has the caption backworks.  It is the 1.7 model on the left and the 1.6 on the right.  Also, I just noticed that the GROUP-TEK IC chip has a different version number on it between the two.

- GeoDirk

[Matthias Strubel]

Hi GeoDirk,

thank you for your effort! That is a very detailed report.

I think our image doesn't fullfill the requirements to be detected by the TPLink Firmware.

I propose the following for testing:

  Download the corresponding ChaosCalmer firmware from downloads.openwrt.org as soon as their webside is 100% back online. Try reflashing the device using the original firmware.

If that works, you can "downgrade" to the librarybox firmware.

I come to this conclusion, because TPLink mentioned itself, that they are flashing the devices with region based firmware => and currently US only is affected.

The WR703 is a China model.

What do you think about that testing method?

best regards

Matthias

2016-02-24 16:26 GMT+01:00 GeoDirk <geo...@gmail.com>:

Sorry, that second image has the caption backworks.  It is the 1.7 model on the left and the 1.6 on the right.  Also, I just noticed that the GROUP-TEK IC chip has a different version number on it between the two.

- GeoDirk

--

You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/41a8122d-5583-4aec-a852-bee571e1370d%40googlegroups.com.

[GeoDirk]

This is probably true.  I'm open to trying it out the newer OpenWRT image and seeing if I can then downgrade.  I see what you mean about the official website not being up to download the new image.  I'm getting a 404 error...  Aren't the OpenWRT images mirrored anywhere else???

- GeoDirk

[Matthias Strubel]

I'm afraid these images aren't officially anywhere :-(

Thanks for your offer,

Matthias 

--
You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/a50ca213-ef2e-4ea0-a7a9-7e1e98edfcea%40googlegroups.com.

[Jason Griffey]

That is an amazing report, and thank you SO much for the details. 

I'm trying to find a contact at TP-Link that will talk with me about this now so I can get some clarity. Nothing thus far, but I'll keep poking.

More info as I get it.

Jason

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/c9c2552a-f753-4f05-974c-a925b12bf400%40googlegroups.com.

[GeoDirk]

Hey Jason & Matthias,

Well the OpenWRT downloads page got back up and I tried using the official Chaos Calmer (15.05) version through the Chinese web interface.  No luck - I get the same error message as your version of the firmware. 

Looking at the OpenWRT page for the 703n, there is a discussion here about how to flash the 1.7 version:

https://wiki.openwrt.org/toh/tp-link/tl-wr703n#tftp_install_necessary_on_v17_hardware

It looks like you need to connect up a serial cable to the ports on the board itself, split the image up, tftp it over, etc.  Certainly not something beyond what I can do but obviously not as simple as I would have desired.  I have 70 of these 1.7 routers already modded out with external antenna connections so I'm looking for something a little less involved.  Some of the thread from the original instructions on that link indicated that the firmware validation checking seems to be happening only at the GUI stage.  So I'm wondering if I could just try to split up the LB's firmware and just push that through over the connection?  I'll start off with trying to get Chaos Calmer on there first and then seeing if I can just downgrade from the console using the 'mtd' command.  But if I could eliminate that step and not brick the router, that would be a huge time saver.

I've lost my serial to usb adapter somewhere and have another one on order for Friday delivery.  I'll have to look back into this after that.

Obviously, at this point, I certainly recommend that people stay away from buying anything but the 1.6 or less version of the router.

- GeoDirk

[Matthias Strubel]

Hi,

oh, thanks for the clarification about the WR703N 1.7 !

Yes, it should be possible to upload the LB-firmware via tftp

Matthias

--

You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/f2de9670-d4d8-44c4-baa8-a6a7aa961081%40googlegroups.com.

[GeoDirk]

Ok....reading through those instructions again (slowly this time), it appears that you just push commands to the 1.7 router from a bash prompt.  You utilize an exploit in the web page to get root access.  No serial to USB cable or soldering necessary unless you brick the router.  I'll give it a try and report back.

But if the above is true, then I'm going to stand by my original assertion that the 703n model is now firmware locked out starting at version 1.7.  Beware.

- GeoDirk

[GeoDirk]

After trying those instructions more than a few times from my Mac setup, it never worked.  Never any errors - just didn't work.  The 1.7 firmware still is the old Chinese one.  Bummer.

- GeoDirk

[GeoDirk]

I found something that works....sort of.  Instead of using a Mac, I followed the instructions from here using Windows:

www.shadowandy.net/2015/03/flashing-tp-link-tl-wr703n-v1-7-to-openwrt.htm

I was able to take one router and get it to load OpenWRT Chaos Calmer onto it.  With the Windows TFTP server, I was able to see the log get created when the router did it's download.  I never saw that under the Mac.  Using the OpenWRT firmware's web interface, I was able to load up the LB's version of the firmware without any complaint.  It took but there is one problem, I can telnet into it but it doesn't mount the USB drive.

On a second 1.7 box, using the instructions above, instead of using the Chaos Calmer firmware, I split up the LB firmware and followed the instructions.  I'm able to now directly load up the firmware and bypass the TP Link issues to get the LB firmware installed first.  However, the same issue is now present, it hasn't mounted the USB drive so it won't run the install scripts, etc.

So, what would be the commands to try to manually install the USB drive on a LB firmware?

Or, now that I'm in the box, just how would I get access to push a different firmware if I can't access the USB drive?  I can run the 'mtd' command but the other necessary commands (e.g., curl & tftp) aren't present in the system.  I'm sure that even if those were present, there probably isn't enough system memory to hold the files.  Any suggestions?

Thanks,  GeoDirk

[Matthias Strubel]

Hi,

I'm still wondering if you can't install the LB image in the same way via TFTP like the ChaosCalmer image.

You have four options to get the image to box:

1.Enable wifi, Reconfigure your lan port as a lan port and get the file directly via the internet.

2. Reconfigure the wifi as a wifi client and get the file directly via internet

3. Upload the file via webui, which should be installed per default on CC

4. use these instructions to get the file to your box and reflash manually:  https://piratebox.cc/openwrt:reflash_wo_usb

best regards

Matthias

--

You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/af7e8dbb-5b24-43ec-aec0-a5f6362e19cd%40googlegroups.com.

[GeoDirk]

On Thursday, February 25, 2016 at 3:09:51 PM UTC-6, Matthias Strubel wrote:

Hi,

I'm still wondering if you can't install the LB image in the same way via TFTP like the ChaosCalmer image.

 
Yep, that is what I did on the second router.  I busted up the LB image into the two parts and it booted just like the Chaos Calmer one.  After plugging in and unplugging in this router a few time, it finally decided to recognize the USB drive and do the install of LB.  I'm not sure what triggered it's change of heart to start working properly....   On the first router, I've plugged, unplugged, rebooted, etc and it still won't trigger mounting the USB stick.  I'll work through your steps to see if I can get the image downloaded onto the box to try to do a reflash.  I found that at least 'wget' is installed so there is hope.

- GeoDirk

[GeoDirk]

On Thursday, February 25, 2016 at 3:09:51 PM UTC-6, Matthias Strubel wrote:

You have four options to get the image to box:

1.Enable wifi, Reconfigure your lan port as a lan port and get the file directly via the internet.

2. Reconfigure the wifi as a wifi client and get the file directly via internet

3. Upload the file via webui, which should be installed per default on CC

4. use these instructions to get the file to your box and reflash manually:  https://piratebox.cc/openwrt:reflash_wo_usb

Thanks for those tips.  Reading through those led me to think of a different and super simple solution.  Here what I ended up doing to reflash with a new firmware when you don't have a mounted USB drive.  I figured out the router had a bunch of partitions with varying space.  The /tmp folder seemed to be the only area that had enough space so I used WinSCP to log into the router (using SCP mode) and place the firmware file in that directory.  Note: you need to set a password for root using the 'passwd' command to get access to SCP.  After that it was a simple matter of telneting into the router and running the 'mtd' command to tell it to reflash.  I've been able to easily go back and forth through various different firmwares using this method.

So the good news is that LB 2.1 will install on these newer WR703n's with the 1.7 firmware if you are willing to go through all the hacks!  My 70 routers that I ordered will now become useful again.

Thanks for the help!

- GeoDirk
 

[T Gillett]

@GeoDirk

Thanks for this info and all your work.

Would it be possible to post a step by step summary of the steps you have taken starting from a new TP Link device to get to a working LB device please?

The email trail has become a little convoluted and I have lost track of what the overall solution is.

Thanks again.

[GeoDirk]

Hey T,

You can follow these instructions here as they were the ones that eventually worked for me: www.shadowandy.net/2015/03/flashing-tp-link-tl-wr703n-v1-7-to-openwrt.htm  The only thing you can modify is the part where instead of using the official OpenWRT firmware and breaking that up, substitute the LB's firmware.  I was able to get this working quite successfully under Windows but not from a Mac.

FWIW - Since I have 70 of these 1.7 routers to flash, I'm writing a front end that will wrap all of this up process together into a couple of clicks.  It shouldn't take me more than a couple of days (depending on my interruptions) to get that pulled together.  I'll create a new thread (since this one ended up being rather hijacked) and post the link to that tool once I'm done with it.

- GeoDirk

[T Gillett]

Many thanks.

Glad you have recovered your situation - 70 unused routers would be a pain.

I wonder how long the exploit on TP devices will remain in place.

You would really have to think twice before buying any more devices, particularly in quantity.

I think FCC / TP Link et al have effectively forced us all to move to devices based natively on OpenWrt.

This is a bit sad because the worldwide distribution of economical TP devices was one of their attractions.

T

--
You received this message because you are subscribed to a topic in the Google Groups "LibraryBox" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/librarybox/1m0MyFny9aI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to librarybox+...@googlegroups.com.

To post to this group, send email to libra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/4ddd82d6-9035-4fa6-b03f-0e4fa9aa0d94%40googlegroups.com.

[GeoDirk]

The weird thing about this whole issue is that the 703n is not sold in the U.S.  It is a Chinese branded version only sold for retail there.  Why is this model's firmware locked down starting with the 1.7 version???  The FCC excuse doesn't cut it.  There has to be something else corporate wise going on with TP-Link for them to have started doing this.

For what it is worth, I was told through a friend who has contacts with TP-Link that the MR3040 version will remain "open" firmware.  It might be time to switch over to that router.  I'll miss the 703n's easy ability to hack on an external antenna, size and ability to put on whatever size battery you want.  But as you said, risking a large order over this isn't worth it.

As expected, I've been interrupted more than a few times with my 703n hack program.  But it's coming along....

- GeoDirk

[Matthias Strubel]

Here is the clarification for you thoughts:

  - Every Web-UI is checking the file, which you are uploading. This is happening since ages.

  - The check happens after the upload.

  - The original firmware takes the uploaded firmware and does checks against values inside the uploaded firmware file. Lets say for this case "Does the firmware file is for model WR703N" Does my hardware version "1.7" equal the firmware version "1.7"

  - The Librarybox image file claims itself for "WR703N" - version 1 , but the firmware is able to run on each version.

  - The Chaos Calmer firmware explains itself as version 1.7

Ok. Before hardware version 1.7 was released, the hardware before maybe checked only for "version 1", so everything was working. For reasons "hardware 1.7" does not work with previous original TPLink firmware, so they raized the internal number to "1.7". This was done to prevent user errors and wrongly flashed WR703N firmwares.

The webui now suddenly checks the LibraryBox firmware "wr703n version1" against the necessary "wr703N version 1.7" and fails. That is the reason why you can't flash directly.

To circumvent that, I recommended to install ChaosCalmer (CC) first, which worked. The "downgrade" from CC to LibraryBox worked, because OpenWrt checks differently compared to the original firmware.

Conclusion:

  The 1.7 version is much longer on the market then the FCC discussion and TPLink had some reason to change the firmware-version check internally. That check prevents uploading the LibraryBox image, because our firmware does not know "the magic words".

That is everything, explained on an abstract level and as less technical as possible (for me).

Hope that helps

Matthias

--

You received this message because you are subscribed to the Google Groups "LibraryBox" group.

To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.

To post to this group, send email to libra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/9c16692a-5215-44d7-92ea-91ba4a220718%40googlegroups.com.

[GeoDirk]

Hi Matthias,

Your probably right on how the web GUI does the firmware check and that they did it to just keep people from bricking their routers with old firmware.  But just to clarify, OpenWRT Chaos Calmer doesn't work through the new 1.7 web GUI either.  I had to go through the exploit in order to get that loaded on.  So you really don't have to load on the OpenWRT firmware first before the LB one.  Just follow the instructions here http://www.shadowandy.net/2015/03/flashing-tp-link-tl-wr703n-v1-7-to-openwrt.htm except use the DD command to split up the LB firmware.  It will work.

Now if we could just find out what those "magic words" are, we would be set.  If they are doing this from the web GUI, then I'm guessing that they are just going x number of bytes into the firmware's file looking for that "WR703N" - version 1.7" type of wording rather than something more drawn out.  BTW - any idea where can you download the official firmware for the 703n is located at?  I can only find the firmware for the 702n model.

- GeoDirk

[GeoDirk]

Please tell me that it isn't just this easy.  The below image is a hex dump from the original WR703n's 1.6 stock firmware.  I don't have the 1.7's stock firmware to verify, but if my suspicions are correct, then it might be as simple as changing the "ver. 1.0" to ver. 1.7" with a hex editor and we might be able to get this to work via the web GUI.

I'll need a copy of the stock version of the 1.7 firmware to check.  I would be willing to risk bricking a router to give it a try if someone could point me to where I can get a copy of the 1.7 firmware.

[GeoDirk]

Found the official 1.7 firmware up on the TP-Link Chinese website.  Used the 'mtd' command to try and write the firmware to one of my hacked 1.7 routers and got this error message on the command line after it wrote a bunch of info to the unit:

Writing from wr703nv1.bin to firmware....  [e]Failed to erase block

I immediately tried to write over firmware that I know works, but upon reboot, the unit is bricked.   Looks like we are stuck with the longer hack....  I'll go back to writing my hacking program.

- GeoDirk

[Matthias Strubel]

I assume, the original TPLink firmware needs to but cut off the bootloader!

This is true for alot TPLink products, see http://www.friedzombie.com/tplink-stripped-firmware/

--

You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/fee1d4f8-c00c-4101-b38a-91619659e406%40googlegroups.com.

[T Gillett]

Another workaround shown here:

https://forum.openwrt.org/viewtopic.php?id=63123

>> You received this message because you are subscribed to a topic in the Google Groups "LibraryBox" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/librarybox/1m0MyFny9aI/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to librarybox+...@googlegroups.com.

>> To post to this group, send email to libra...@googlegroups.com.

>> To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/CAAuLk%2BHe1jyfR5b3xLdEYgf-xViRmPXbTO-KBk0pyD7J6nL%3Dyg%40mail.gmail.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>

> --
> Steve Song
> +1 902 529 0046
> http://villagetelco.org

[GeoDirk]

Thanks for the link...I guess there are a few ways in.

FYI - I made a program to do the hack in couple of clicks using the other method.  It copies over the LB installer to a USB stick, side loads in any other files you want to put on your stick, generates one of three different kinds of firmware hacks (LB firmware, OpenWRT, and my own rolled one that includes the Unicode patch as well as unzip; plus whatever other one you desire to load on your own), includes the TFTP router, then just one more and click does the hack.  It works well.  All I need to do is finish the instructions before I release it.  I'm out of town this coming week, but I see no problems releasing this in the wild next week.

- GeoDirk

[Dimitrios Sioufas]

Any update?

Thanks