TP-Link Archer D7 AC1750
Dual Band (concurrent), Gigabit Ethernet and ADSL Modem. Advertised as 1750 Mbps. It has simultaneous Triple-Stream (3×3) radios on both 2.4GHz and 5 GHz Bands. It supports 802.11n in 2.4GHz for 450Mbps throughput and IEEE 802.11ac (draft) for 1300Mbps throughput in 5GHz.
This modem is practically divided in 2 sections:
- Router section: This part shares the same hardware with Archer C5 v1 and Archer C7 v2
- Modem section: Based on BCM6318 (unsupported)
Supported Versions
Hardware Highlights
Installation
→ Install OpenWrt (generic explanation)
The following instructions require a connection to the J1 UART header and are tested for the Archer D7 v1. For the Archer D7b v1, names should be changed accordingly.
Flash instructions under U-Boot, using UART
- Press
tpl
to stop autobooting and obtain U-Boot CLI access. - Setup IP addresses for U-Boot and your tftp server.
- Issue below commands:
tftpboot 0x81000000 openwrt-ath79-generic-tplink_archer-d7-v1-squashfs-sysupgrade.bin erase 0x9f020000 +f90000 cp.b 0x81000000 0x9f020000 0xf90000 reset
Initramfs instructions under U-Boot for testing, using UART
- Press
tpl
to stop autobooting and obtain U-Boot CLI access. - Setup IP addresses for U-Boot and your tftp server.
- Issue below commands:
tftpboot 0x81000000 openwrt-ath79-generic-tplink_archer-d7-v1-initramfs-kernel.bin bootm 0x81000000
- Here you can backup the original firmware and/or flash the sysupgrade OpenWrt if you want
Restore the original firmware
- Backup every partition using the OpenWrt web interface
- Download the OEM firmware from the TP-Link website
- Extract the bin file in a folder (eg. Archer_D7v1_1.6.0_0.9.1_up_boot(160216)_2016-02-16_15.55.48.bin)
- Remove the U-Boot and the Broadcom image part from the file.
Issue the following command:
dd if="Archer_D7v1_1.6.0_0.9.1_up_boot(160216)_2016-02-16_15.55.48.bin" of="Archer_D7v1_1.6.0_0.9.1_up_boot(160216)_2016-02-16_15.55.48.bin.mod" skip=257 bs=512 count=31872
- Double check the .mod file size. It must be 16318464 bytes.
- Flash the image
- Using the OpenWrt web interface. Force the update if needed.
WARNING: Remember to NOT keep settings. - Alternatively, flash it using the U-Boot and UART connection.
Issue below commands in the U-Boot:
tftpboot 0x81000000 Archer_D7v1_1.6.0_0.9.1_up_boot(160216)_2016-02-16_15.55.48.bin.mod erase 0x9f020000 +f90000 cp.b 0x81000000 0x9f020000 0xf90000 reset
Hardware - Router section
Hardware info
Architecture | MIPS32 (MIPS74Kc) |
---|---|
Target | ar7xxx/ar9xxx |
Vendor | TP-Link |
Bootloader | uboot |
CPU Model | QCA9558 |
CPU Speed | 720MHz |
Flash chip | Winbond 25Q128FVSG (128 Mibit) |
Flash size | 16 MiB |
RAM chip | 2x Winbond W9751G6KB-25 (512 Mibit each) |
RAM size | 128 MiB |
WAN | In the original firmware LAN4 can act as WAN |
Switch | AR8327N-BL1A |
Ethernet | QCA8337 (4xGbe) |
Wireless | QCA9558 (Integrated 2.4GHz) + QCA9880-BR4A (5GHz) |
Serial | yes (see picture below) |
Buttons | power switch, WPS button, Wifi on/off |
Power | external 12V 2,5A |
Case opening
To open the case you have to remove two screws underneath the information sticker and one screw below the silver front clip which should push forward, then you need to pry open the rest of the case which is clipped together (2×3 side clips; 2 front clips; 2 back clips).
Serial
J1
• VCC • GND • RX ▣ TX
Configure your favorite terminal with the following settings: 115200 baud, 8 bit, no parity, 1 stop bit, no flow control.
To enter into the bootloader, press “t” when it says: “Hit any key to stop autoboot”
Default user and password for console login inside the original OEM firmware is admin/1234
Access serial header (easy way)
Since opening the case is relatively hard (because of the hard to remove silver clip and strong plastic clips), the easiest way to gain Serial access is by using some snips to cut out part of the case.
OEM Flash Layout
~ # cat /proc/mtd dev: size erasesize name mtd0: 00020000 00010000 "u-boot" mtd1: 00140000 00010000 "kernel" mtd2: 00e50000 00010000 "rootfs" mtd3: 00010000 00010000 "radioDECT" mtd4: 00010000 00010000 "config" mtd5: 00010000 00010000 "romfs" mtd6: 00010000 00010000 "rom" mtd7: 00010000 00010000 "radio"
Hardware - Modem section
Hardware info
Architecture | MIPS32 (MIPS74Kc) |
---|---|
Target | bcm63xx |
Bootloader | CFE |
CPU Model | BCM6318 |
CPU Speed | 333MHz |
Flash chip | Winbond 25Q16DVSIG (16 Mibit) |
Flash size | 2 MiB |
RAM chip | ESMT M12L128168A (128 Mibit) |
RAM size | 16 MiB |
WAN | RJ-11 |
Serial | yes (see picture below) |
Serial header
J41
• VCC • GND • RX ▣ TX
Default user and password for console login inside the original OEM firmware is admin/admin
OEM Flash Layout
# cat /proc/mtd dev: size erasesize name mtd0: 0011d000 00000000 "BCM63XX RootFS"
Non-invasive installation instructions
- Telnet into the router (admin/1234) on port 1023 (see details below for 'gaining shell access')
cat /proc/mtd dev: size erasesize name mtd0: 00020000 00010000 "u-boot" mtd1: 00140000 00010000 "kernel" mtd2: 00e50000 00010000 "rootfs" mtd3: 00010000 00010000 "radioDECT" mtd4: 00010000 00010000 "config" mtd5: 00010000 00010000 "romfs" mtd6: 00010000 00010000 "rom" mtd7: 00010000 00010000 "radio"
- Download any openwrt image for the Archer D7 and split it into two pieces, first part being 1179648 bytes if the mtd1/kernel size is 00120000 or 1310720 bytes if the mtd1/kernel size is 00140000
dd if=openwrt.bin of=openwrt-mtd1.bin bs=1 count=1179648 dd if=openwrt.bin of=openwrt-mtd2.bin bs=1 skip=1179648
or
dd if=openwrt.bin of=openwrt-mtd1.bin bs=1 count=1310720 dd if=openwrt.bin of=openwrt-mtd2.bin bs=1 skip=1310720
- Download or compile from source the mtd utils for the Archer D7
- Copy the tools and openwrt images to a fat32 formatted USB drive and plug it into the router
- Change the working directory to /var/usbdisk/sda1/
cd /var/usbdisk/sda1/
- Check your mtd1 partition and openwrt-mtd1.bin are both exactly 1310720 or 1179648 bytes, both must be the same.
cat /dev/mtdblock1 > ./mtd1 ls -l
> -rwxrwxrwx 1 5309227 openwrt-mtd2.bin -rwxrwxrwx 1 1310720 openwrt-mtd1.bin -rwxrwxrwx 1 94821 flash_erase -rwxrwxrwx 1 109558 nandwrite drwxrwxrwx 2 16384 System Volume Information -rwxrwxrwx 1 1310720 mtd1
- Erase flash and write the openwrt images, if any of these fail, your router will be bricked.
./flash_erase /dev/mtd1 0x0 0 ./flash_erase /dev/mtd2 0x0 0 ./nandwrite /dev/mtd1 openwrt-mtd1.bin -p ./nandwrite /dev/mtd2 openwrt-mtd2.bin -p
- Reboot, it is usually advised to do a power cycle rather than a soft reboot to ensure nothing else can be written.
Gain shell access
This hack is the same used for the w8970/w9980 https://forum.kitz.co.uk/index.php?topic=17108.105.
Prerequisites
You'll need python3 and pycrypto to run this script. You can install pycrypto by:
- apt install python3-crypto
- OR pip install pycrypto
- OR pip install pycryptodome
Download this python script: https://github.com/sta-c0000/tpconf_bin_xml/blob/master/tpconf_bin_xml.py
Guide
- Download the system configuration from the OEM interface (System Tools → Backup & Restore → Backup)
- Rename it in “config.bin” (if necessary) and copy it in the same folder of the tpconf_bin_xml.py script.
- Execute
python3 tpconf_bin_xml.py -n conf.bin conf.xml
- Open the conf.xml file with a text editor and add the following line inside the “<DeviceInfo>” tag:
<Description val="Modem Router`telnetd -p 1023 -l login`" />
- Before
<?xml version="1.0"?> <DslCpeConfig> <InternetGatewayDevice> <DeviceSummary val="InternetGatewayDevice:1.1[](Baseline:1, EthernetLAN:1)" /> <LANDeviceNumberOfEntries val=1 /> <DeviceInfo> <ManufacturerOUI val=XXXXXX /> <SerialNumber val=XXXXXXXXXXXXX /> <HardwareVersion val="Archer D7 v1 00000002" /> <SoftwareVersion val="1.6.0 0.9.1 v002d.0 Build 160216 Rel.57110n" /> <UpTime val=4 /> <X_TP_IsFD val=3 /> </DeviceInfo> ...
- After
<?xml version="1.0"?> <DslCpeConfig> <InternetGatewayDevice> <DeviceSummary val="InternetGatewayDevice:1.1[](Baseline:1, EthernetLAN:1)" /> <LANDeviceNumberOfEntries val=1 /> <DeviceInfo> <ManufacturerOUI val=XXXXXX /> <SerialNumber val=XXXXXXXXXXXXX /> <HardwareVersion val="Archer D7 v1 00000002" /> <SoftwareVersion val="1.6.0 0.9.1 v002d.0 Build 160216 Rel.57110n" /> <UpTime val=4 /> <X_TP_IsFD val=3 /> <Description val="Modem Router`telnetd -p 1023 -l login`" /> </DeviceInfo> ....
- After editing the conf.xml file it must be coverted back the configuration file using the previous python script:
python3 tpconf_bin_xml.py conf.xml conf_new.bin
- Restore the modem's configuration using this new conf_new.bin file. (System Tools → Backup & Restore → Restore)
- Now you are able to connect to the router using telnet on port 1023:
telnet 192.168.1.1 1023