TP-Link Archer D9
Hardware
Old links from the previous version of this page:
- CPU & Switch: Broadcom BCM4709A0
- Wireless: Broadcom BCM4360
- ADSL Modem: Broadcom BCM6318
Flashing
The system firmware validates an RSA signature during the upload process. However it is possible to bypass this check via the telnet interface provided. Current steps for version 150826 http://www.tp-link.com/res/down/soft/Archer_D9_v1_150826.zip is as follows:
0. Update firmware to v150826 via the web interface
1. Telnet onto device using the same password as for the admin interface
2. Command “sh”
3. Use ps to identify the httpd process id (pid)
4. Read /proc/pid_of_httpd/maps to identify location of libcmm.so
5. Compile a binary using buildroot2012.02 for ARM EABI (compile this using a docker image of ubuntu 12.02) and patch offsets appropriately. It's uncertain currently whether the offsets to patch are the same across devices, however listed here is the patch and code from one device.
Make sure to correct the offsets given that the start address of libcmm.so on the inspected device was 0x401d3000 and insert the pid from ps.
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ptrace.h>
int main(void){
int pid = 1466;
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
waitpid(pid, NULL, 0);
int patch_offset = 0x401EF0A4;
int patch_data = 0x57E1;
long success = ptrace(PTRACE_POKEDATA, pid, patch_offset, patch_data);
if(success == -1){
perror(“ptrace”);
}
patch_offset = 0x401EEF97;
success = ptrace(PTRACE_POKEDATA, pid, patch_offset, patch_data);
if(success == -1){
perror(“ptrace”);
}
patch_offset = 0x401EEF9B;
patch_data = 0x0A1C149F;
success = ptrace(PTRACE_POKEDATA, pid, patch_offset, patch_data);
if(success == -1){
perror(“ptrace”);
}
ptrace(PTRACE_DETACH, pid, NULL, NULL);
}
6. Load the binary onto a mounted usb device
7. On the device, navigate and execute /var/usbdevice/mount_point/binary_name
You're now able to upload firmware via the web interface with the RSA check skipped. The above patch also negates the MD5 check.
Photos
Archer D9 v1
Box:
Front:
Photo of front of the casing
Back:
Photo of back of the casing
Opening the case
Note: This will void your warranty!
To remove the cover:
- There are two screws at the bottom of the device, under the rubber feet.
- One screw at the back of the device, under the label.
- The rest of the case is kept together by latches at the every side of the device.
- I started disassembly from up using small flat screwdriver.
Main PCB
Serial
→ port.serial general information about the serial port, serial port cable, etc.
If you open the casing and remove the PCB from the chassis, there is a well labeled TTL serial connector near the top between the wireless antenna connectors. It operates at 115200 baud 8N1.
How to connect to the Serial Port of this specific device:
JTAG
→ port.jtag general information about the JTAG port, JTAG cable, etc.
The JTAG port consists of 10 female pin holes at the bottom of the PCB next to the LAN ports. Still unsure about pin-out.
How to connect to the JTAG Port of this specific device:
Photo of PCB with markings
Debricking
Recovery Mode
Archer D9 have recovery mode. See archer-c9 until someone writes a D9-specific one.