Mounir ORFI

Yet another network engineer...

TP-Link WR642G SPI Flash Dump

| Comments

Following my previous blogpost Exploring the TP-Link WR542G / WR642G SOHO routers I’ll show you how I recently got access to the TP-Link WR642G firmware by directly dumping the flash IC using an AVR328P MCU (Arduino Duemilanove board).

If you ever brick your router by uploading the wrong firmware, thus corrupting the bootloader, the only way you could restore it is by writing directly to flash IC.

 Desoldering flash memory

The TP-link WR642G uses an SPI Spansion FL016A1F which first need to be desoldered. I found out that the solder bridge method works quite well as it helps diffuse the heat across all legs at the same time, check the video below for more details:

Then you need to wire the flash to your MCU following the layout found on the Spansion datasheet (take into consideration the fact that the flash IC runs at 3.3v).

¬†Dumping…

For convenience I soldered the flash IC on a breakout board left from another project:

I wrote a small program in plain C to dump flash memory through the SPI bus to the UART interface. you can git clone git://github.com/orfix/spiflash my source code or write your own if you like :)

The entire 2MiB dump takes around ~3min if the console is configured with a baudrate of 115200.

Dumping the firmware
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$
$ stty -F /dev/ttyUSB0 115200 -icrnl -ixon -ixoff -opost -isig -icanon -echo
$ cat /dev/ttyUSB0 > firmware.bin &
[1] 14208
$
$ ls -l firmware.bin 
-rw-r--r-- 1 mounir mounir 0 30 juin  00:51 firmware.bin
$
$ echo -n 'x' > /dev/ttyUSB0
$ ls -l firmware.bin 
-rw-r--r-- 1 mounir mounir 340057 30 juin  00:52 firmware.bin
$
$ ls -l firmware.bin 
-rw-r--r-- 1 mounir mounir 2097152 30 juin  00:54 firmware.bin
$

The dumped file could be used to restore the router if it get bricked in the futur, I am pretty sure it will :]

Firmware content
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$
$ md5sum firmware.bin 
95ebcd860f9a403c7a57bef4a1dba259  firmware.bin
$
$ hexdump -C firmware.bin | grep -i -A 5 "copyright"
00000400  43 6f 70 79 72 69 67 68  74 20 32 30 30 33 2d 32  |Copyright 2003-2|
00000410  30 30 35 20 54 50 2d 4c  49 4e 4b 20 54 45 43 48  |005 TP-LINK TECH|
00000420  4e 4f 4c 4f 47 49 45 53  05 42 00 04 00 00 00 10  |NOLOGIES.B......|
00000430  24 04 00 02 00 80 80 21  3c 09 00 80 40 89 68 00  |$......!<...@.h.|
00000440  00 00 00 00 40 80 90 00  00 00 00 00 40 80 98 00  |....@.......@...|
00000450  00 00 00 00 00 00 00 00  00 00 00 40 00 00 00 40  |...........@...@|
--
00004f50  43 6f 70 79 72 69 67 68  74 20 31 39 38 34 2d 32  |Copyright 1984-2|
00004f60  30 30 32 20 57 69 6e 64  20 52 69 76 65 72 20 53  |002 Wind River S|
00004f70  79 73 74 65 6d 73 2c 20  49 6e 63 2e 0a 54 68 69  |ystems, Inc..Thi|
00004f80  73 20 70 72 6f 67 72 61  6d 20 63 6f 6e 74 61 69  |s program contai|
00004f90  6e 73 20 63 6f 6e 66 69  64 65 6e 74 69 61 6c 20  |ns confidential |
00004fa0  69 6e 66 6f 72 6d 61 74  69 6f 6e 20 6f 66 20 57  |information of W|
$
$
$ strings firmware.bin | grep -i copyright
Copyright 2003-2005 TP-LINK TECHNOLOGIES
Copyright 1984-2002 Wind River Systems, Inc.
Copyright 2003-2005 TP-LINK TECHNOLOGIES
uSPCopyright 1984-2002 Wind River Systems, Inc.
$

Comments