TP-Link TL-WDR4300 (N750)

TP-Link TL-WDR4300 has 802.11n Dual Band (concurrent) WiFi and Gigabit Ethernet. Advertised as 750 Mbps it is Dual-Stream (2×2) on the 2.4 GHz Band and Triple-Stream (3×3) on the 5 GHz Band. Same as the TL-WDR4310.

Related to TL-WDR3600, which has only two instead of three antennas.

Warning!SECURITY WARNING: Unpatched http/tftp backdoor in original firmware: http://sekurak.pl/tp-link-httptftp-backdoor/

Version/Model Board ID Release Date Model Specific Notes
v1.0 - 2012/02 TP-Link TL-WDR4310.
v1.1 - 2012/06 Similar to TP-Link TL-WDR4310
v1.2 - 2012/11 -
v1.3 - 2012/11 -
v1.4 - 2013/04 -
v1.5 - 2013/? -
v1.6 2050500272 rev 1.3 2013/08 -
v1.7 2050500272 rev 1.3 2014/01 TP-Link TL-WDR4310.

NOTE: The Ethernet switch in this device, AR8327N, is working fine with the OpenWrt default configuration. Some of the more advanced functions of the switch are not yet fully supported by the driver in 12.09.

ALSO NOTE: The Ethernet switch lets WAN traffic through for a few seconds on bootup. This can be a problem.

If your wireless cannot be enabled when using wide channel modes, this may be due to the friendly neighbor “feature” that prohibits operation of such a mode and you may have to use the standard modes before wireless can be enabled.

  • Download OpenWrt factory image as shown above
  • Rename it to the format that the original firmware expects. Something like: wdr4300v1_en_3_14_3_up_boot(150518).bin. Otherwise the page will show error messages like “please select a file to upgrade”.
  • Connect your PC to a LAN port of the TP-link via ethernet.
  • Login to the TP-link web administration webpage. (Default address is 192.168.0.1)
  • Under 'System Tools' select 'Firmware Upgrade'. Browse to the previously downloaded *.bin file. Click Upgrade.
  • Connect to http://192.168.1.1 with your web browser
  • Set your password and configure the router through the web UI. Basic Config

Note: Factory default IP address range is 192.168.0.1 while OpenWrt uses 192.168.1.1 by default. If you have trouble accessing your router after initial flash, check that you have a 192.168.1.x IP address on your PC.

  1. Update to stock firmware: 3.13.33(130617) before installation (highly recommended). This firmware features a bootloader with handy TFTP recovery mode → Flashing via TFTP, de-brick or OEM installation using the TFTP recovery
  2. Download OpenWrt factory image as shown above
  3. Look for openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-factory.bin, unless your device was purchased in Israel. In that case, look for openwrt-ar71xx-generic-tl-wdr4300-v1-il-squashfs-factory.bin.
  4. Rename the file (original firmware expects a specific format)
    1. The following filename will please the vendor's web UI firmware update tool: wdr4300v1_en_3_14_3_up_boot(150518).bin
    2. Otherwise the page will show error messages like “please select a file to upgrade,” or will not respond to clicking the upgrade firmware button.
  5. Use the original firmware vendor's Firmware Upgrade tool to write this firmware-file onto the flash-chip of your device.

Once installed, in order to use wifi, you need to activate wifi in the configuration, see wireless configuration.

NOTES

  1. When flashing the factory firmware image using the web interface, you may see TP-Link's error code of 180005 saying something like the “version of the upgraded file was incorrect”. That means your device's firmware is locked to a particular region. See Error code 18005
  2. Recent (2016+) TP-Link firmware in the USA may be locked to prevent re-flashing. If you have such locked firmware, you can downgrade to use the original TP-Link firmware and flash OpenWrt from the web interface. You will need tools from dd-wrt to effect the downgrade: go to dd-wrt website and search the router database for wdr4300, then download the TL-WDR4300v1-webrevert.rar file from the router database page. Unrar the file to extract the binary. Next, from https://dd-wrt.com/site/support/other-downloads, select betas for the WDR4300, then select the most recent date (e.g.2016), then find the latest wdr4300v1. Your path is reported as something like: Downloads › betas › 2016 › 08-24-2016-r30471 › tplink_tl-wdr4300v1. Download the file factory-to-ddwrt.bin. This tool will install dd-wrt, and the revert tool will then install the original unlocked TP-Link firmware. To flash dd-wrt (dd-wrt reccomends IE/windows for this), login to the locked TP-Link router (admin/admin), and then use the “System Tool Update Firmware” to flash the factory-to-ddwrt.bin file. After the router has finished rebooting, the router has dd-wrt running at http://192.168.1.1, and you are ready to revert to the unlocked TP-Link firmware. Browse to 192.168.1.1, assign an ID/PW, then navigate to Administration → Firmware Upgrade. Select the extracted tl-wdr4300v1-webrevert.bin from your host's download directory and click the Upgrade button, dd-wrt will be replaced with the original unlocked TP-Link firmware. Now browse to http://192.168.1.1, hit reset on the router for 5+ seconds to revert the ID to admin/admin and reboot. The router is now running the old TP-Link unlocked firmware at the IP address 192.168.0.1, after the router reboots, browse to http://192.168.0.1 and login with admin/admin. To install Openwrt firmware, browse to System Tools → Firmware Upgrade and select the new firmware file of your choice (e.g.: OpenWrt Designated Driver) and click Upgrade to flash the WDR4300 with OpenWrt.
  3. TP-Link's firmware defaults to 192.168.0.1 with username “admin” and password “admin”. After installation, OpenWrt defaults to 192.168.1.1 and no assigned password.
  4. Precompiled images do not activate the wireless feature by default (you will have to use Ethernet for the initial configuration).
  5. Trunk images don't have luci, you must install it manually, see luci.essentials
  6. For devices in Israel, try flashing the original image first, in most cases it will work just fine. Devices that require the Israeli firmware will show a warning on the Firmware Update page. If you see this warning, fallback to the “-il-” image. The Israeli firmware differs only in the Hardware ID, in order to enable flashing from the original firmware interface. There is no difference between the images otherwise. See this thread for details.
  7. Images for the TP-Link 3600 are largely compatible with a simple modification to the header of the firmware image. The PCB for both models is identical, or close to identical. The third external antenna on the 4300 is on the PCB of the 3600, but not connected to an external antenna.
  8. Firmware version 3.14.3 Build 151104 Rel.45874n and hardware version WDR4300 v1 00000000 seems to be locked.

WARNING: Do not flash the sysupgrade firmware via the vendor firmware web interface. Only the 'factory' images should be flashed from the vendor firmware.

Pressing the WPS/Reset button during powerup makes the bootstrap loader enter the TFTP recovery mode. After pushing the reset button, the arrows should be lighten up. The procedure can be used to transfer a firmware image:

  1. assign 192.168.0.66 to your local network interface (the router uses 192.168.0.86)
  2. publish a firmware image via tftp: cp openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-factory.bin /srv/tftp/wdr4300v1_tp_recovery.bin
  3. configure your tftp server. best if you can have some way of watching the log file so you can see if the router is requesting the file
  4. turn on the router, wait until the second light from the left - the asterisk - starts flashing, hold down the WPS button on the back for a few seconds until the asterisk starts flashing faster
  5. OR (some models are different) hold down the WPS button on the back and THEN power up the router. You will know it is attempting to transfer the file when the light furthest on the right lights up.
  6. wait for the firmware transfer (about 20s), firmware flash (about 90s) and subsequent reboot (about 30s)

If OpenWrt is already installed and you wish to upgrade to a newer version, you have two methods available:

  1. Flash Overwrite
  2. Generic Sysupgrade

(prior to actual flashing given availability of a serial console it's a nice idea to do dry runs, by ad-hoc RAM booting a factory.bin from a TFTP host server, via uboot “tftp” + “bootm”, served via WDR3600's default 6F01A8C0.img filename).

Flash Overwrite

  • Login as root via SSH
  • Check memory usage with the free or top commands. The image can be up to 8MB, so only proceed if you have as much free RAM as the image size plus 6-8MB; this should not be a problem on a device with 128 MB RAM.
  • An easy way to free up some RAM is to delete the symlinks to /etc/modules.d/20-cfg80211, /etc/modules.d/21-mac80211, /etc/modules.d/2*-ath* and /etc/modules.d/[4-9]*-* and reboot. Drop caches can be useful too:
echo 3 > /proc/sys/vm/drop_caches
  • wget or scp the new firmware build to /tmp/
  • And finally:
cd /tmp
wget http://domain.tld/openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-factory.bin
mtd -r write /tmp/openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-factory.bin firmware

Generic Sysupgrade

Alternately, you can follow the generic.sysupgrade procedure. Don't forget to populate your /etc/sysupgrade.conf first.

mtd-utils

For systems where OpenWrt mtd is not available, mtd-utils commands need to be used (subsequent commands boldly assume that it's mtd5 which equals the “firmware” mtd partition name - cat /proc/mtd to verify!!):

flash_eraseall /dev/mtd5
nandwrite /dev/mtd5 /tmp/openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-factory.bin

(write operation will take about 5 minutes to complete)

Note that output of newer mtd-utils flash_eraseall recommends using “flash_erase <dev> 0 0” instead (did not test it).

Please read the article flash.layout for a better understanding. It contains a couple of explanations. Then let's have a quick view at flash layout of this particular device:

TP-Link WDR4300 Flash Layout stock firmware
Layer0 m25p80 spi0.0: s25fl064k 8192KiB
Layer1 mtd0 mtd1 mtd3
Size in KiB 128KiB 8000KiB 64KiB
Name u-boot firmware art
mountpoint none / none
filesystem none SquashFS-LZMA 4.0 none
TP-Link WDR4300 Flash Layout
Layer0 m25p80 spi0.0: s25fl064k 8192KiB
Layer1 mtd0 u-boot 128KiB mtd5 firmware 8000KiB mtd4 art 64KiB
Layer2 mtd1 kernel mtd2 rootfs
mountpoint /
filesystem overlayfs
Layer3 mtd3 rootfs_data
Size in KiB 128KiB 64KiB
Name u-boot kernel rootfs_data art
mountpoint none none /rom /overlay none
filesystem none none SquashFS JFFS2 none

ART = Atheros Radio Test - it contains mac addresses and calibration data for the wifi (EEPROM). If it is missing or corrupt, ath9k won't come up anymore.

Power up your router. When the 'SYS' light (asterisk symbol right of the power light) starts to blink, immediately push the WPS/Reset button on the back-left of the router for a short time (>1 sec). The 'SYS' light should now start to blink very fast.

On a TL-WDR4300 Ver 1.6 and Barrier Breaker Bleeding Edge, r39211, the above instructions were not terribly successful. The only way that I was able to get the router into failsafe mode was to quickly and repeatedly press the WPS/Reset button starting before the front panel “star” LED started flashing. When that LED finally lit, it appeared to go directly into the rapid-flashing “failsafe” indication. If the WPS LED lights (rightmost, “yin-yang arrows”), it may be that you started clicking the button a little early in the boot sequence.

Years later, at least with OpenWrt/LEDE 17.01, the “magic moment” is the two seconds that the “on” LED starts flashing. As this is from the preinit code, it likely applies to most similar models. (Confirmed on TP-Link Archer C7)

For what you can do in failsafe, go to the OpenWrt Failsafe Mode page.

DON'T TRY to flash wdr4300 with wdr4310 firmware and vice-versa!

Warning!
This section describes actions that might damage your device or firmware. Proceed with care!

The stock firmware is obtained from the OEM: https://www.tp-link.com/en/download/TL-WDR4300.html#Firmware As with the WR1043ND router, there is a also a catch with the WDR4300!!

  • in case the file name of this firmware file does not contain the word “boot” in it, you can simply revert back to original firmware. → generic.uninstall
  • in case the file name of this firmware file does contain the word “boot” in it, you need to cut off parts of the image file before flashing it

An example of an image file with the word “boot” in it is wdr4300v1_en_3_13_17_up_boot(120426).bin or wdr4300v1_en_3_14_3_up_boot(150518).

Cut the first 0x20200 (that is 131,584 = 257*512) Bytes from original firmware: (1*512 Vendor-info + 256*512 U-Boot)

If you want to find an image that does not contain the word “boot” from the OEM, try downloading smaller zip-files first. With status 12th October 2016 no such zip-files can be downloaded from the vendor's website.

wget or scp the stock firmware file to /tmp/
cd /tmp
dd if=orig.bin of=tplink.bin skip=257 bs=512

(Note: For 3_13_17 the File size should now be exactly: 8,126,464 Bytes, for 3_14_3 the File size should be exactly 8,060,928).

Now the resulting file can be flashed via mtd or web interface (web interface-method is tested 12 Oct 2016, works with 3_14_3)

Other caveats (from vendor web UI):

  • If the firmware path is too short, it will fail with the incorrect error 'firmware path too long'. For instance, flashing c:\openwrt.bin will not work.
  • If the firmware path is too long, it will fail with the error 'firmware path too long'.

Now follow → generic.uninstall

The stock firware (3.13.33(130617)) features a TFTP recovery client in bootloader. To activate it press and hold WPS/Reset Button during powering on until WPS LED turns on. Connect computer to LAN1. Using TCPdump, you should see ARP requests from router having address 192.168.0.86 looking for address 192.168.0.66.

# tcpdump -ni eth0 arp
ARP, Request who-has 192.168.0.66 tell 192.168.0.86, length 46

Set up your computer to address 192.168.0.66, netmask /24 (255.255.255.0).

# ip addr add dev eth0 192.168.0.66/24

Using TCPdump, you should now see request for new firmware image:

# tcpdump -npi eth0 udp
IP 192.168.0.86.2195 > 192.168.0.66.69:  44 RRQ "wdr4300v1_tp_recovery.bin" octet timeout 5

Rename factory image to given name and put it into TFTP server root. → generic.flashing.tftp

:!: In case you are flashing back original firmware, make sure original firmware image name does not contain word bootBack to original firmware.

# cp openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-factory.bin wdr4300v1_tp_recovery.bin
# atftpd --no-fork --daemon .

After downloading, the flashing starts immediately. After cca. 1 minute, the router reboots automatically.

If you want to de-brick/upgrade your router using TFTP you follow these steps:

Pre-requisits:

  • serial RS232 connected from your machine to TL-WDR4300 & terminal program (e.g. minicom, screen) set to 115200 8N1, no flow control, 3,3V
  • copy a working & full OpenWrt firmware image into your tftp server folder (e.g: openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-factory.bin)

(in case you want to flash the original TPLink firmware it migth needed to delete the first 200 Bytes from this firmware bevor flashing, plz check Video Flash Steps!)

  • start a tftpd server on your local machine on LAN address 192.168.1.100/24 and connect your LAN-port to one of the routers LAN ports

Video Flash Procedure: How to debrick TL-WDR4300

Written Flash Procedure:

  1. router should be unplugged & your serial line connected & terminal open & tftp server installed not yet running
  2. copy your desired openwrt image for the tplink-4300 into your tftp server folder and rename it into openwrt.bin (to save some typing within the flash procedure)
  3. first goal is to get the command prompt from the u-boot bootloader on your router
  4. you should only plug in the serial into the router's serial port AFTER it initialises for a split second after powering on BUT BEFORE Autobooting starts otherwise it might hang at the initialisation process
  5. plug in your router and be ready to type tpl & hit ENTER after you see the line Autobooting in 1 seconds:
U-Boot 1.1.4 (Apr 25 2012 - 18:29:12)

U-boot DB120


DRAM:  128 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag934x_enet_initialize...
No valid address in Flash. Using fixed address
 wasp  reset mask:c03300 
WASP  ----> S17 PHY *
: cfg1 0x7 cfg2 0x7114
eth0: ba:be:fa:ce:08:41
athrs17_reg_init: complete
eth0 up
eth0
Autobooting in 1 seconds
  1. in case you failed the right timing just reboot again until the prompt appears
db12x>
  1. now lets check what kind of parameters the u-boot loader expects (e.g file name of firmware via TFPT & Load Adress)
  2. type tftpboot & press ENTER ...
db12x> tftpboot

dup 1 speed 1000
 Warning: no boot file name; using '6F01A8C0.img'
Using eth0 device
TFTP from server 192.168.1.100; our IP address is 192.168.1.111
Filename '6F01A8C0.img'.
Load address: 0x81000000
Log: *
TFTP error: 'Access violation' (2)
Starting again
  1. as you can see, uboot expects a firmware image file name “6F01A8C0.img” at tftp server address 192.168.1.100
  2. just change you local ip into 192.168.1.100 and start your tftp server
  3. start the uboots tftpclient to download the image from your local machine by typing: tftpboot 0x81000000 openwrt.bin + ENTER
db12x> tftpboot 0x81000000 openwrt.bin

Using eth0 device
TFTP from server 192.168.1.100; our IP address is 192.168.1.111
Filename 'openwrt.bin'.
Load address: 0x81000000
Lg: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ############################
done
Bytes transferred = 8126464 (7c0000 hex)
  1. the last line needs to show a size of 7c0000 hex otherwise your image is unsuitable
  2. now we need to erase parts of the flash memory to be able to copy your fresh loaded firmware into it
  3. just type in the promt erase 0x9f020000 +7c0000 and wait for the promt to come back
db12x> erase 0x9f020000 +7c0000

First 0x2 last 0x7d sector size 0x10000                                                                                                                                                                                                  125
Erased 124 sectors
  1. now just copy the image to the rigth place by typing cp.b 0x81000000 0x9f020000 0x7c0000
db12x> cp.b 0x81000000 0x9f020000 0x7c0000

Copy to Flash... write addr: 9f020000
done
  1. so .. you, in case your image is the correct one, your are just a single reboot away from having a working TL-WRD4300 back on your desk
  2. type reset or just un-plug and re-plug the power of your router and watch the boot process
db12x> reset

Warning!WARNING: risk of frying your hardware. only do this when you understand basic electric engineering.

When the bootloader was trashed as well, and none of the above recovery methods work, you can de-brick the thing using flashrom, see http://flashrom.org/ISP.

If you don't have one of those fancy SOIC clips, desolder the flash chip (google for SOIC desoldering for your favorite method)

The default network configuration is:

Interface Name Description Default configuration
br-lan LAN & WiFi 192.168.1.1/24
vlan0 (eth0.0) LAN ports (1 to 4) None
vlan1 (eth0.1) WAN port DHCP
? WiFi Disabled

Numbers 2-5 are Ports 1-4 as labeled on the unit, number 1 is the Internet (WAN) on the unit, 0 is the internal connection to the router itself.

Port Switch port
CPU 0
WAN 1
LAN 1 2
LAN 2 3
LAN 3 4
LAN 4 5
(not used) 6

The switch ports may turn out to be not properly bridged in a default bootup config, causing connection failure. In this case you need to setup /etc/config/network or do manual swconfig setup - see switch for advice.

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config switch
        option name 'eth0'
        option reset '1'
        option enable_vlan '1'

## Port: internet
config switch_vlan
        option device 'eth0'
        option vlan '1'
        option ports '0t 1'
        list comment 'port internet, eth0.1'

## Port LAN1
config switch_vlan
        option device 'eth0'
        option vlan '2'
        option ports '0t 2'
        list comment 'port lan1, eth0.2'

## Port LAN2
config switch_vlan
        option device 'eth0'
        option vlan '3'
        option ports '0t 3'
        list comment 'port lan2, eth0.3'

## Port LAN3
config switch_vlan
        option device 'eth0'
        option vlan '4'
        option ports '0t 4'
        list comment 'port lan3, eth0.4'

## Port LAN4
config switch_vlan
        option device 'eth0'
        option vlan '5'
        option ports '0t 5'
        list comment 'port lan4, eth0.5'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ifname 'eth0.2 eth0.3 eth0.4 eth0.5'
        option ipaddr '192.168.1.5'
	option netmask '255.255.255.0'

config interface 'setup'
	option ifname 'br-lan'
        option proto static
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
        #notes
        # - this is an alias interface, that will let us continue
        #  the setup.

config interface 'wan'
        option ifname           'eth0.1'
        option proto            'dhcp'
        option type             'bridge'
	option metric           10

I ordered the switch ports to make it in order. port 1 is eth0.1 and wan port is eth0.5, which is just another network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9e:344e:c4fd::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'lan2'
        option ifname 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'lan3'
        option ifname 'eth0.3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'lan4'
        option ifname 'eth0.4'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

config interface 'lan5'
        option ifname 'eth0.5'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 0t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '1 0t'
Instruction set MIPS MIPS 74Kc
Vendor Qualcomm Atheros
bootloader U-Boot
System-On-Chip AR9344 (MIPS)
CPU/Speed 560 MHz
Flash-Chip Spansion FL064KIF docs / winbond 25064FVSIG
Flash size 8192 KiB
RAM 128 MiB
Wireless No1 SoC-integrated: Atheros AR9340 2×2 MIMO for 2.4GHz 802.11b/g/n
Wireless No2 separate Chip: Atheros AR9580 3×3 MIMO for 5GHz 802.11a/n
switch Atheros AR8327N
USB Yes 2 x 2.0 (GL850G chip - 4 ports capable)
Serial Yes
JTAG Yes

TP-Link TL-WDR4300 v1.1 PCB top side tl-wdr4300-v13-front.jpg tl-wdr4300-v13-back.jpg

Remove the 4 screws on the bottom of the case.

The top is clipped to the bottom of the case at 9 attachment points: 3 on each side of the case, 1 on the back, and 2 on the front. Each attachment point consists of two pins which fit into holes in tabs which protrude from the other half of the case. All of the tabs are on the bottom of the case, with the exception of the case back, where the single tab is in the center of the top of the case.

One method known to work, once, is to start at one of the rear corners. The corner by the ethernet ports seems to work best. Gently flex the case and slightly separate the top from the bottom at the corner by lifting on, or inserting a fingernail or other thin object into, the crack above the antenna. While doing this insert the tip of a knife blade (upward, given the geometry as the unit normally sits) into the crack between the two halves along the side of the case toward the rear. This will force the pins in the top of the case outward, flex the tab protruding from the bottom of the case inward, and free the pins from the tab. If necessary the knife tip may be levered slightly toward the case interior after insertion. Due to the force separating the top of the case from the bottom near the antenna, the pins should pop out of the tab located on the case side near the rear, lift slightly upward, and remain free.

Continue to free the other tabs, first working from the rear corner toward the front of the case, then across the front of the case, and finally from the front of the case toward the rear along the opposite side. The two halves of the case will then separate without having to work at freeing the last attachment point at the rear of the case.

With care, this method leaves no marks on the case.

Serial console is available on the J1 (1.7) connector, 3.3v signals.

1 = TX out 2 = RX in 3 = GND 4 = VCC 3.3V
DO NOT CONNECT VCC. Use only TX/RX/GND.

Baud Rate: 115200 Data Bits: 8 Parity : No Stop Bits: 1

To break bootstrap sequence, type 'tpl' during the 1-second boot delay.

Factory firmware login credentials are not known at this time (it's not root/5up as with other tp-link models).

Below is an image of the PCB with the serial TTY console shown, in addition the JTAG pin location is shown as well. Both has all its pins labled as well.

TP-Link TL-WDR4300 serial pinout

port.jtag general information about the JTAG port, JTAG cable, etc.

How to connect to the JTAG Port of this specific device: See picture above.

PSU (power supply)

The TL-WDR4300 DE (v1.1) comes bundled with the following PSU:

tl-wr1043nd_dev10_psu.jpg

Specifications:

Brand/Model Leader Electronics Inc / LEI F7
Input 100-240V~ (50/60Hz, 0.6A)
Output 12.0V 1.5A
Measured output 12.15V
The plug (on the router side) has the following specifications:
Outer diameter 5.5mm
Inner diameter 2.1mm
Length of the shaft 9.5mm

Power consumption

The WDR4300/3600 consume about 3 W with both radios enabled and idle. Each connected ethernet cable adds about 0.3 W.

port.gpio The AR933x platform provides 30 GPIOs. Some of them are used by the router for status LEDs, buttons and other stuff. The table below shows the results of some investigation:

Voltage level at GPIO in output-mode gpioX/value in input-mode when GPIO is:
GPIO Common Name PCB Name gpioX/value=1 gpioX/value=0 Floating Pulled to GND Pulled to Vcc
0 JP1-9
1 JP1-3
2 JP1-5
3 JP1-7
4
5
6
7
8
9
10
11 LED USB1 DS8,R313
12 LED USB2 DS8,R314
13 LED WLAN2G DS6
14 LED System DS4
15 LED QSS DS5
16 WPS Button
17 WiFi Switch
18 External LNA0
19 External LNA1
20
21 USB2 Power
22 USB1 Power

To make the GPIOs available via sysfs, the required ones have to be exported to userspace, as it is explained on a page of the Squidge-Project. Kernel modules occupying that resource need to be removed before (e.g. “leds-gpio” and “gpio-buttons”). In output-mode, voltage levels of the GPIOs were measured against GND, after the value 1 or 0 had been written to /sys/class/gpio/gpioX/value. In input-mode, the value of the file /sys/class/gpio/gpioX/value was read when the GPIO was floating (initial state), pulled to GND or pulled to Vcc.

The 5GHz LED seems not to be controlled via GPIO.

Tested with |http over nginx|←wan-|wdr4300|←lan-|Client|

Mode Mbit
switched ~880
routed ~400
nat ~300

Warning!WARNING: risk of frying your hardware. only do this when you understand basic electric engineering.


The task was to make ext-root without using the default ports.

It turns out that the GL850G chipset used by the TP-Link in WDR3600/4300/4900 models can handle up to four ports.

Analysing the router's PCB it appears that pins 8(D-), 9(D+), 11(D-) and 12(D+) are unused. Aditionaly each factory USB port has separate power section.

GND is at the TP7 pin point. +5 V was taken directly from the MOSFET.

tl-wdr3600_usbmod-small.jpg tl-wdr3600_usbmod1-small.jpg

5 V (USB powered) compatibility

Internally, the device generates +1.2 V, +3.3 V and +5.0 V (just for USB). All voltage regulators will work from 4.5 V - 13.4 V. This makes the device capable of running from USB power (e.g. a power bank).

You have to open the case and remove (bridge) the input diode, which you will find directly in between the power connector and the input capacitors. Care: There are no thermal reliefs so you need a quite powerful soldering station. Unsolder the SMD diode, place a wire across the pads and solder that.

As the 3.3 V regulator is only specified for 13.4 V (with absolute maximum of 16 V), you will lower the allowed input voltage by this modification. Running directly of the car 12 V (up to 14.4 V while charging) is outside the limits when the diode is removed and on the edge when diode is in place.

USB devices connected to the USB port on the WDR4300/3600 may not work when the device is powered with less than 5.5 V.

Read about bootloader in general and about Das U-Boot in particular.

Forum member pepe2k made a modification of U-Boot 1.1.4 for Qualcomm Atheros SoCs based devices (the project is still being developed, so new devices and SoCs will be supported in the future). Up to date information, binary images and sources can be found on official GitHub repository.

This modification started from wr703n-uboot-with-web-failsafe project, but supports more devices, all modern web browsers, has a lot of improvements and other modifications (like U-Boot NetConsole, custom commands, overclocking possibilities etc.).

More information:

(for 1.7, at least)

db12x> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),6336k(rootfs),1408k(uImage),64k(mib0),64k(ART)
bootcmd=bootm 0x9f020000
bootdelay=1
baudrate=115200
ethaddr=0xXX:0xXX:0xXX:0xXX:0xXX:0xXX
ipaddr=192.168.1.111
serverip=192.168.1.100
dir=
lu=tftp 0x80060000 ${dir}u-boot.bin&&erase 0x9f000000 +$filesize;cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}db12x${bc}-jffs2&&erase 0x9f050000 +0x630000;cp.b $fileaddr 0x9f050000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f680000 +$filesize;cp.b $fileaddr 0x9f680000 $filesize
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 686/65532 bytes
db12x> 

Changing variables through 'setenv' doesn't seem to make the changes stick, unfortunately.

The following kernel log was capture on a WDR4300 running OpenWrt Designated Driver r48648 (trunk):

[ 0.000000] Linux version 4.1.16 (thepeople@trabant) (gcc version 5.2.0 (OpenWrt GCC 5.2.0 r48648) ) #1 Mon Feb 8 05:09:23 UTC 2016 [ 0.000000] MyLoader: sysp=84c31530, boardp=0065cbe4, parts=195ef6a4 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 0001974c (MIPS 74Kc) [ 0.000000] SoC: Atheros AR9344 rev 2 [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 08000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] On node 0 totalpages: 32768 [ 0.000000] free_area_init_node: node 0, pgdat 803d3fc0, node_mem_map 81000000 [ 0.000000] Normal zone: 256 pages used for memmap [ 0.000000] Normal zone: 0 pages reserved [ 0.000000] Normal zone: 32768 pages, LIFO batch:7 [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768 [ 0.000000] pcpu-alloc: [0] 0 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512 [ 0.000000] Kernel command line: board=TL-WDR4300 console=ttyS0,115200 rootfstype=squashfs,jffs2 noinitrd [ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes) [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 125396K/131072K available (2910K kernel code, 143K rwdata, 592K rodata, 248K init, 200K bss, 5676K reserved, 0K cma-reserved) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:83 [ 0.000000] Clocks: CPU:560.000MHz, DDR:450.000MHz, AHB:225.000MHz, Ref:40.000MHz [ 0.000000] clocksource MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6825930166 ns [ 0.000008] sched_clock: 32 bits at 280MHz, resolution 3ns, wraps every 7669584382ns [ 0.007504] Calibrating delay loop... 278.93 BogoMIPS (lpj=1394688) [ 0.080011] pid_max: default: 32768 minimum: 301 [ 0.084579] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.090914] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.100281] clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 0.110819] NET: Registered protocol family 16 [ 0.116318] MIPS: machine is TP-LINK TL-WDR3600/4300/4310 [ 0.124799] registering PCI controller with io_map_base unset [ 0.355004] PCI host bridge to bus 0000:00 [ 0.358908] pci_bus 0000:00: root bus resource [mem 0x10000000-0x13ffffff] [ 0.365577] pci_bus 0000:00: root bus resource [io 0x0000] [ 0.370913] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0] [ 0.377473] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff] [ 0.385152] pci 0000:00:00.0: [168c:0033] type 00 class 0x028000 [ 0.385169] pci 0000:00:00.0: invalid calibration data [ 0.390101] pci 0000:00:00.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit] [ 0.390161] pci 0000:00:00.0: reg 0x30: [mem 0x00000000-0x0000ffff pref] [ 0.390226] pci 0000:00:00.0: supports D1 [ 0.390242] pci 0000:00:00.0: PME# supported from D0 D1 D3hot [ 0.390478] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00 [ 0.390513] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x1001ffff 64bit] [ 0.397524] pci 0000:00:00.0: BAR 6: assigned [mem 0x10020000-0x1002ffff pref] [ 0.404509] pci 0000:00:00.0: using irq 40 for pin 1 [ 0.410029] Switched to clocksource MIPS [ 0.415063] NET: Registered protocol family 2 [ 0.420220] TCP established hash table entries: 1024 (order: 0, 4096 bytes) [ 0.426902] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.433067] TCP: Hash tables configured (established 1024 bind 1024) [ 0.439232] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.444843] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.451127] NET: Registered protocol family 1 [ 0.455346] PCI: CLS 0 bytes, default 32 [ 0.456358] futex hash table entries: 256 (order: -1, 3072 bytes) [ 0.479129] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.484760] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.496446] io scheduler noop registered [ 0.500227] io scheduler deadline registered (default) [ 0.505398] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled [ 0.514288] console [ttyS0] disabled [ 0.537749] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 2500000) is a 16550A [ 0.546032] console [ttyS0] enabled [ 0.553059] bootconsole [early0] disabled [ 0.565691] m25p80 spi0.0: found s25fl064k, expected m25p80 [ 0.571414] m25p80 spi0.0: s25fl064k (8192 Kbytes) [ 0.577240] 5 tp-link partitions found on MTD device spi0.0 [ 0.582940] Creating 5 MTD partitions on "spi0.0": [ 0.587816] 0x000000000000-0x000000020000 : "u-boot" [ 0.593733] 0x000000020000-0x00000015e38c : "kernel" [ 0.599556] 0x00000015e38c-0x0000007f0000 : "rootfs" [ 0.605412] mtd: device 2 (rootfs) set to be root filesystem [ 0.611233] 1 squashfs-split partitions found on MTD device rootfs [ 0.617518] 0x000000340000-0x0000007f0000 : "rootfs_data" [ 0.623817] 0x0000007f0000-0x000000800000 : "art" [ 0.629399] 0x000000020000-0x0000007f0000 : "firmware" [ 0.647823] switch0: Atheros AR8327 rev. 4 switch registered on ag71xx-mdio.0 [ 0.717193] libphy: ag71xx_mdio: probed [ 1.311422] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:00 [uid=004dd034, driver=Atheros AR8216/AR8236/AR8316] [ 1.322903] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII [ 1.331285] NET: Registered protocol family 10 [ 1.339246] NET: Registered protocol family 17 [ 1.343895] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. [ 1.356763] Bridge firewalling registered [ 1.360992] 8021q: 802.1Q VLAN Support v1.8 [ 1.371902] VFS: Mounted root (squashfs filesystem) readonly on device 31:2. [ 1.380232] Freeing unused kernel memory: 248K (803f2000 - 80430000) [ 2.299162] init: Console is alive [ 2.302870] init: - watchdog - [ 3.246099] usbcore: registered new interface driver usbfs [ 3.251807] usbcore: registered new interface driver hub [ 3.257301] usbcore: registered new device driver usb [ 3.267468] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 3.275555] ehci-platform: EHCI generic platform driver [ 3.281013] ehci-platform ehci-platform: EHCI Host Controller [ 3.286873] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1 [ 3.297011] ehci-platform ehci-platform: irq 3, io mem 0x1b000000 [ 3.320062] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00 [ 3.327294] hub 1-0:1.0: USB hub found [ 3.331462] hub 1-0:1.0: 1 port detected [ 3.338335] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 3.346007] ohci-platform: OHCI generic platform driver [ 3.650051] usb 1-1: new high-speed USB device number 2 using ehci-platform [ 3.802494] hub 1-1:1.0: USB hub found [ 3.806672] hub 1-1:1.0: 4 ports detected [ 4.306780] init: - preinit - [ 4.935659] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 4.961548] random: procd urandom read with 8 bits of entropy available [ 6.311286] eth0: link up (1000Mbps/Full duplex) [ 6.316055] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 8.105107] jffs2_scan_eraseblock(): End of filesystem marker found at 0x10000 [ 8.112483] jffs2_build_filesystem(): unlocking the mtd device... done. [ 8.119216] jffs2_build_filesystem(): erasing all blocks after the end marker... [ 8.310376] Atheros AR8216/AR8236/AR8316 ag71xx-mdio.0:00: Port 1 is up [ 8.317429] Atheros AR8216/AR8236/AR8316 ag71xx-mdio.0:00: Port 2 is up [ 24.273288] done. [ 24.275283] jffs2: notice: (412) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. [ 24.292428] mount_root: overlay filesystem has not been fully initialized yet [ 24.306352] mount_root: switching to jffs2 overlay [ 24.821552] eth0: link down [ 24.835284] procd: - early - [ 24.838319] procd: - watchdog - [ 25.557513] procd: - ubus - [ 26.564948] procd: - init - [ 27.342369] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 27.361800] Loading modules backported from Linux version v4.4-rc5-1913-gc8fdf68 [ 27.369305] Backport generated by backports.git backports-20151218-0-g2f58d9d [ 27.379795] ip_tables: (C) 2000-2006 Netfilter Core Team [ 27.395866] nf_conntrack version 0.5.0 (1963 buckets, 7852 max) [ 27.434799] xt_time: kernel timezone is -0000 [ 27.513609] PPP generic driver version 2.4.2 [ 27.520573] NET: Registered protocol family 24 [ 27.568983] ath: EEPROM regdomain: 0x0 [ 27.569003] ath: EEPROM indicates default country code should be used [ 27.569013] ath: doing EEPROM country->regdmn map search [ 27.569033] ath: country maps to regdmn code: 0x3a [ 27.569045] ath: Country alpha2 being used: US [ 27.569054] ath: Regpair used: 0x3a [ 27.580256] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht' [ 27.583349] ieee80211 phy0: Atheros AR9340 Rev:2 mem=0xb8100000, irq=47 [ 27.590302] PCI: Enabling device 0000:00:00.0 (0000 -> 0002) [ 27.601550] ath: EEPROM regdomain: 0x0 [ 27.601567] ath: EEPROM indicates default country code should be used [ 27.601577] ath: doing EEPROM country->regdmn map search [ 27.601598] ath: country maps to regdmn code: 0x3a [ 27.601609] ath: Country alpha2 being used: US [ 27.601618] ath: Regpair used: 0x3a [ 27.610247] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht' [ 27.613386] ieee80211 phy1: Atheros AR9300 Rev:4 mem=0xb0000000, irq=40


This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/02/26 13:55
  • by elif