TP-Link Archer D7 AC1750

Dual Band (concurrent), Gigabit Ethernet and ADSL Modem. Advertised as 1750 Mbps. It has simultaneous Triple-Stream (3×3) radios on both 2.4GHz and 5 GHz Bands. It supports 802.11n in 2.4GHz for 450Mbps throughput and IEEE 802.11ac (draft) for 1300Mbps throughput in 5GHz.

This modem is practically divided in 2 sections:

DSL will not work at all on devices with BCM63xx DSL chipset (due to unavailability of FLOSS driver for Broadcom chips). Consider this when choosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported.
See Broadcom DSL, Unsupported: DSL modem and Broadcom BCM63xx for details.

Install OpenWrt (generic explanation)

The following instructions require a connection to the J1 UART header and are tested for the Archer D7 v1. For the Archer D7b v1, names should be changed accordingly.

  1. Press tpl to stop autobooting and obtain U-Boot CLI access.
  2. Setup IP addresses for U-Boot and your tftp server.
  3. Issue below commands:
    tftpboot 0x81000000 openwrt-ath79-generic-tplink_archer-d7-v1-squashfs-sysupgrade.bin
    erase 0x9f020000 +f90000
    cp.b 0x81000000 0x9f020000 0xf90000
    reset
  1. Press tpl to stop autobooting and obtain U-Boot CLI access.
  2. Setup IP addresses for U-Boot and your tftp server.
  3. Issue below commands:
    tftpboot 0x81000000 openwrt-ath79-generic-tplink_archer-d7-v1-initramfs-kernel.bin
    bootm 0x81000000
  4. Here you can backup the original firmware and/or flash the sysupgrade OpenWrt if you want
  1. Backup every partition using the OpenWrt web interface
  2. Download the OEM firmware from the TP-Link website
  3. Extract the bin file in a folder (eg. Archer_D7v1_1.6.0_0.9.1_up_boot(160216)_2016-02-16_15.55.48.bin)
  4. Remove the U-Boot and the Broadcom image part from the file.
    Issue the following command:
    dd if="Archer_D7v1_1.6.0_0.9.1_up_boot(160216)_2016-02-16_15.55.48.bin" of="Archer_D7v1_1.6.0_0.9.1_up_boot(160216)_2016-02-16_15.55.48.bin.mod" skip=257 bs=512 count=31872
  5. Double check the .mod file size. It must be 16318464 bytes.
  6. Flash the image
    1. Using the OpenWrt web interface. Force the update if needed.
      WARNING: Remember to NOT keep settings.
    2. Alternatively, flash it using the U-Boot and UART connection.
      Issue below commands in the U-Boot:
      tftpboot 0x81000000 Archer_D7v1_1.6.0_0.9.1_up_boot(160216)_2016-02-16_15.55.48.bin.mod
      erase 0x9f020000 +f90000
      cp.b 0x81000000 0x9f020000 0xf90000
      reset
Architecture MIPS32 (MIPS74Kc)
Target ar7xxx/ar9xxx
Vendor TP-Link
Bootloader uboot
CPU Model QCA9558
CPU Speed 720MHz
Flash chip Winbond 25Q128FVSG (128 Mibit)
Flash size 16 MiB
RAM chip 2x Winbond W9751G6KB-25 (512 Mibit each)
RAM size 128 MiB
WAN In the original firmware LAN4 can act as WAN
Switch AR8327N-BL1A
Ethernet QCA8337 (4xGbe)
Wireless QCA9558 (Integrated 2.4GHz) + QCA9880-BR4A (5GHz)
Serial yes (see picture below)
Buttons power switch, WPS button, Wifi on/off
Power external 12V 2,5A

To open the case you have to remove two screws underneath the information sticker and one screw below the silver front clip which should push forward, then you need to pry open the rest of the case which is clipped together (2×3 side clips; 2 front clips; 2 back clips).

J1

•  VCC
•  GND
•  RX
▣ TX

Configure your favorite terminal with the following settings: 115200 baud, 8 bit, no parity, 1 stop bit, no flow control.

To enter into the bootloader, press “t” when it says: “Hit any key to stop autoboot”

Default user and password for console login inside the original OEM firmware is admin/1234

Since opening the case is relatively hard (because of the hard to remove silver clip and strong plastic clips), the easiest way to gain Serial access is by using some snips to cut out part of the case.

~ # cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 00140000 00010000 "kernel"
mtd2: 00e50000 00010000 "rootfs"
mtd3: 00010000 00010000 "radioDECT"
mtd4: 00010000 00010000 "config"
mtd5: 00010000 00010000 "romfs"
mtd6: 00010000 00010000 "rom"
mtd7: 00010000 00010000 "radio"
Architecture MIPS32 (MIPS74Kc)
Target bcm63xx
Bootloader CFE
CPU Model BCM6318
CPU Speed 333MHz
Flash chip Winbond 25Q16DVSIG (16 Mibit)
Flash size 2 MiB
RAM chip ESMT M12L128168A (128 Mibit)
RAM size 16 MiB
WAN RJ-11
Serial yes (see picture below)

J41

•  VCC
•  GND
•  RX
▣ TX

Default user and password for console login inside the original OEM firmware is admin/admin

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 0011d000 00000000 "BCM63XX RootFS"
  • Telnet into the router (admin/1234) on port 1023 (see details below for 'gaining shell access')
cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 00140000 00010000 "kernel"
mtd2: 00e50000 00010000 "rootfs"
mtd3: 00010000 00010000 "radioDECT"
mtd4: 00010000 00010000 "config"
mtd5: 00010000 00010000 "romfs"
mtd6: 00010000 00010000 "rom"
mtd7: 00010000 00010000 "radio"
  • Download any openwrt image for the Archer D7 and split it into two pieces, first part being 1179648 bytes if the mtd1/kernel size is 00120000 or 1310720 bytes if the mtd1/kernel size is 00140000
dd if=openwrt.bin of=openwrt-mtd1.bin bs=1 count=1179648
dd if=openwrt.bin of=openwrt-mtd2.bin bs=1 skip=1179648

or

dd if=openwrt.bin of=openwrt-mtd1.bin bs=1 count=1310720
dd if=openwrt.bin of=openwrt-mtd2.bin bs=1 skip=1310720
  • Download or compile from source the mtd utils for the Archer D7
  • Copy the tools and openwrt images to a fat32 formatted USB drive and plug it into the router
  • Change the working directory to /var/usbdisk/sda1/
cd /var/usbdisk/sda1/
  • Check your mtd1 partition and openwrt-mtd1.bin are both exactly 1310720 or 1179648 bytes, both must be the same.
cat /dev/mtdblock1 > ./mtd1
ls -l 
>
-rwxrwxrwx    1   5309227 openwrt-mtd2.bin
-rwxrwxrwx    1   1310720 openwrt-mtd1.bin
-rwxrwxrwx    1     94821 flash_erase
-rwxrwxrwx    1    109558 nandwrite
drwxrwxrwx    2     16384 System Volume Information
-rwxrwxrwx    1   1310720 mtd1
  • Erase flash and write the openwrt images, if any of these fail, your router will be bricked.
./flash_erase /dev/mtd1 0x0 0
./flash_erase /dev/mtd2 0x0 0
./nandwrite /dev/mtd1 openwrt-mtd1.bin -p
./nandwrite /dev/mtd2 openwrt-mtd2.bin -p
  • Reboot, it is usually advised to do a power cycle rather than a soft reboot to ensure nothing else can be written.

This hack is the same used for the w8970/w9980 https://forum.kitz.co.uk/index.php?topic=17108.105.

Prerequisites

You'll need python3 and pycrypto to run this script. You can install pycrypto by:

  • apt install python3-crypto
  • OR pip install pycrypto
  • OR pip install pycryptodome

Download this python script: https://github.com/sta-c0000/tpconf_bin_xml/blob/master/tpconf_bin_xml.py

Guide
  1. Download the system configuration from the OEM interface (System Tools → Backup & Restore → Backup)
  2. Rename it in “config.bin” (if necessary) and copy it in the same folder of the tpconf_bin_xml.py script.
  3. Execute
    python3 tpconf_bin_xml.py -n conf.bin conf.xml
  4. Open the conf.xml file with a text editor and add the following line inside the “<DeviceInfo>” tag:
    <Description val="Modem Router`telnetd -p 1023 -l login`" />
    1. Before
      <?xml version="1.0"?>
      <DslCpeConfig>
        <InternetGatewayDevice>
          <DeviceSummary val="InternetGatewayDevice:1.1[](Baseline:1, EthernetLAN:1)" />
          <LANDeviceNumberOfEntries val=1 />
          <DeviceInfo>
            <ManufacturerOUI val=XXXXXX />
            <SerialNumber val=XXXXXXXXXXXXX />
            <HardwareVersion val="Archer D7 v1 00000002" />
            <SoftwareVersion val="1.6.0 0.9.1 v002d.0 Build 160216 Rel.57110n" />
            <UpTime val=4 />
            <X_TP_IsFD val=3 />
          </DeviceInfo>
          ...
    2. After
      <?xml version="1.0"?>
      <DslCpeConfig>
        <InternetGatewayDevice>
          <DeviceSummary val="InternetGatewayDevice:1.1[](Baseline:1, EthernetLAN:1)" />
          <LANDeviceNumberOfEntries val=1 />
          <DeviceInfo>
            <ManufacturerOUI val=XXXXXX />
            <SerialNumber val=XXXXXXXXXXXXX />
            <HardwareVersion val="Archer D7 v1 00000002" />
            <SoftwareVersion val="1.6.0 0.9.1 v002d.0 Build 160216 Rel.57110n" />
            <UpTime val=4 />
            <X_TP_IsFD val=3 />
            <Description val="Modem Router`telnetd -p 1023 -l login`" />
          </DeviceInfo>
          ....
  5. After editing the conf.xml file it must be coverted back the configuration file using the previous python script:
    python3 tpconf_bin_xml.py conf.xml conf_new.bin
  6. Restore the modem's configuration using this new conf_new.bin file. (System Tools → Backup & Restore → Restore)
  7. Now you are able to connect to the router using telnet on port 1023:
    telnet 192.168.1.1 1023
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/02/12 08:58
  • by 127.0.0.1