MR3020 HACK

[Hack] TL-MR3020 + hack = OpenWRT USB / WiFi / Ethernet Posted by skywodd ⋅ September 22, 2012 ⋅ 15 comments Filed under madeinfr , openwrt Hello everyone! To continue my project "Blyss box DIY" I started using a small router usb / wifi / ethernet. That it will serve as a "link" between an arduino board (and my code BlyssSpoofer / BlyssSniffer) and a web interface (or other, to see). Other members of the forum arduino.cc have also embarked on the adventure, here's a topic of many on the subject: http://arduino.cc/forum/index.php?topic=115889 The biggest problem was finding a wifi router that can handle the situation. That must comply with the following criteria: - Be small, ideally the size of a map arduino UNO - Have a USB port (or default serial port) to connect the arduino board - Be compatible with OpenWRT (Linux distribution for routers) - Have a network interface: wifi, ethernet or both After much research and advice of the forum members arduino two candidates out of the lot: - TL-WR703N the (available only in China) - TL-MR3020 the (available in France but more expensive) Hardware level is almost the same (same Atheros chipset, same RAM, same Flash) with some differences ready (Ethernet shielded vs. unshielded number of leds, ...). For my part I chose to use the TL-MR3020 with OpenWRT (trunk version): http://wiki.openwrt.org/toh/tp-link/tl-mr3020 Why TL-MR3020 and not the Chinese clone the TL-WR703N? - Over GPIO LED = more = more opportunities for hacking - 2.54mm pitch connector series (no = standard not to break the head with son "flying") Against by good price level is not the same thing ... 17 € for the TL-WR703N on ebay against almost double for the TLMR3020 on amazon, LDLC, ... You choose In this first article I will detail only the hardware part. I will discuss the software part in a separate article. The box: If you read my articles for some time now you must have noticed that I love unpacking everything I receive a picture This router is no exception, so here is what the box looks like:

The router inside the box with its protective film:

And all accessories many and varied:

Cable mini usb power, adapter 5v sector, an ethernet cable in short, everything you need for a user "classic".

Router, small tower owner: The router as a whole:

Besides the color (gray instead of blue) and the duo led + button there is no aesthetic difference with the TL-WR703N. At the front:

Include: - Ethernet port - Port usb FOOD ONLY - The switch to select the operating mode of the router (with original firmware) On the right side:

We find the usb port to (usually) to connect a 3G dongle. In my case it will be a hub with a USB key (for rootfs) and a map that will be connected to the Arduino USB port.

On top:

5 LEDs: - Power - 3G - Wifi - Ethernet - WPS And WPS buttons. -> First difference with the TL-WR703N, it has only 2 LED (one of which is not installed by default) and a reset button. Ps: this is an ethernet cable ... I do not really trust his strength ^ ^ "

Hulling operation, or how to open a box can not be opened: Open TL-MR3020 box is just impossible without a knife with a very fine blade (and solid) and lots and lots of patience ...

To open the case you have to jump two clips of colorful covers, while sliding a knife around the cap to break the glue dots. The first clip is just above the port mini usb, the second face-to ~ 1.5cm to the left of TP-LINK logo. This is what it looks once the box open:

You will notice the small squares around the box are ALL stuck Ultrasound top cover. Ps: Be careful not to injure yourself by sliding the knife blade into the slot of the case, an accident can happen so quickly ... The electronic circuit: Once the box is open (finally) possible to see what is hiding in the beast:

The revision number of the circuit is on the ethernet connector:

As you can see I have a version 1 revision 7. -> 2nd difference with the TL-WR703N, TL-WR703N the ethernet port is screened, the TL-MR3020 it is not ... The details of the hardware: I have not really followed any particular order, it is a little loose + Atheros chipset antenna:

The Atheros chipset is the heart of the router, it is composed of CPU and some ethernet / wifi. It is an Atheros chipset AR9330 revision 1 (= AR9331). The cpu is within the range of AR72xx and more precisely a turning AR7240 400MHz. The party supports a maximum of wifi 802.11 b / g / n 150Mbps. Part ethernet when her 10Mpbs modes and supports 100Mbps. Mini usb port and power port usb "classic":

Mini usb port is only there to provide the +5 v circuit. It can not be used or other usb device. According to the wiki the TL-MR3020 OpenWRT can operate with relatively low voltages of about 2.6/2.7v. This leaves the possibility of using 1S 3.7V lipo battery for power (I'll have to test to see). The second USB port, more "classic" can still be used to it by usb host like any normal USB port. Just have the proper drivers in his image OpenWRT and all will be well RAM and LEDs:

RAM is 32MB in size which leaves a lot of room for the user.

When the LEDs are the numbers 5 As I mentioned a little earlier. Detailed wiring leds is available on the OpenWRT wiki: # http://wiki.openwrt.org/toh/tp-link/tl-mr3020 leds SPI flash memory:

SPI is the flash memory of 4 MB in size, it is cut along the plane memory if below: mtd0 mtd1 mtd2 mtd3 mtd4

(128Ko) : u-boot (1Mo) : kernel (2.75Mo) : rootfs (64Ko) : configuration (64Ko) : art (= Atheros Radio Test)

Especially not touch the memory area called "ART" if the wifi chipset will not work any more. If you ever brickez bootloader router it is possible to salvage by unsoldering the flash by connecting a programmer.

The OpenWRT wiki provided even a factory image of the entire flash: http://wiki.openwrt.org/toh/tp-link/tl-mr3020 # restoring.original.firmware (2nd link in "link dump") For safety I'll do a full dump area and mtd0 mtd4 ... But I will discuss in the article on the software Buttons:

There are two buttons, wired three GPIO. The first button is labeled "button" is normally used to activate WPS wifi authentication. The second button is labeled "slide" and has three positions, it is normally used to select the operating mode of the router. Detailed wiring buttons are available on the wiki OpenWrt: http://wiki.openwrt.org/toh/tp-link/tl-mr3020 # buttons The serial port:

This is the most interesting because it is this one that allows access to the bootloader (u-boot) and fundamentally change the linux kernel and rootfs router. I do not use the flash method through the web interface, I find it too wobbly. Method by flash bootloader requires extreme vigilance to avoid bricker router but when we used it is much more reliable. The serial port is wired as follows: | (vcc) (gnd) (rx) [tx] |

() Represents a round pad and [] the square pad (pin 1 mark). The serial port is configured for 115200 baud, 8 data bits, 1 start bit, 1 stop bit, no parity and no flow control. Problem: The serial port is wired a little strange, so that with some serial adapters -> USB that does not work properly. I tested with my sparkfun ftdi basic of, actually it was not working base. But do not panic, just put a resistor between VCC and 10K Tx to solve the problem (Thanks to those who took the time to add a note about it in the OpenWRT wiki, otherwise I would still be looking for the problem ^ ^) History of doing things I did own a serial adapter -> FTDI basic with a piece of pcb that was lying:

Note: I have not connected the VCC pin connector FTDI basic circuit to VCC, so I can use a ftdi basic 5v or 3v3 without problems Once the serial connector soldered it looks like this:

Then simply plug the adapter into the serial connector:

Basic and ftdi on the adapter:

Then you plug the usb power hop and all lights!

And the serial monitor gives a nice serial console: U-Boot 1.1.4 (Mar 20 2012 - 11:37:54) U-Boot 1.1.4 (Mar 20 2012 - 11:37:54) 002 AP121 (ar9330) U-boot AP121 (ar9330) Uboot 004 DRAM: 32 MB DRAM: 32 MB led turning on for 1s... LED turning on for 1s ... 005

id read 0x100000ff id read 0x100000ff flash size 4194304, sector count = 64 flash size 4194304, sector count = 64 007

Flash: 4 MB Flash: 4 MB 010
style="direction: ltr; text-align: left">Using default environment Using default environment 011 012

In: serial In: serial

Out: serial Out: serial Err: serial Err: serial 013

Net: ag7240_enet_initialize... Net ag7240_enet_initialize ... No valid address in Flash. No valid address 016 in Flash. Using fixed address Using fixed address No valid address in Flash. No valid address 017 in Flash. Using fixed address Using fixed address : cfg1 0x5 cfg2 0x7114 : CFG1 0x5 0x7114 CFG2 eth0: 00:03:7f:09:0b:ad eth0: 00:03:7 f: 09:0 b: ad ag7240_phy_setup ag7240_phy_setup eth0 up eth0 up : cfg1 0xf cfg2 0x7214 : 0xf CFG1 CFG2 0x7214 021

eth1: 00:03:7f:09:0b:ad eth1: 00:03:7 f: 09:0 b: ad athrs26_reg_init_lan athrs26_reg_init_lan ATHRS26: resetting s26 ATHRS26: resetting s26 ATHRS26: s26 reset done ATHRS26: s26 reset done ag7240_phy_setup ag7240_phy_setup eth1 up eth1 up 027

eth0, eth1 eth0, eth1 Autobooting in 1 seconds Autobooting in 1 second 029

## Booting image at 9f020000 ... # # Booting image at 9f020000 ... Uncompressing Kernel Image ... Uncompressing 032 Kernel Image ... OK OK 033 Starting kernel ... Starting kernel ... 035

Booting AR9330(Hornet)... Booting AR9330 (Hornet) ... Linux version 2.6.31--LSDK-9.2.0.312 037 ([email protected]) (gcc version 4.3.3 (GCC) ) #199 Tue Mar 20 11:38:41 CST 2012 Linux version 2.6.31 - LSDK-9.2.0.312 ([email protected]) (gcc version 4.3.3 (GCC)) # 199 Tue Mar 20 11:38:41 CT 2012 flash_size passed from bootloader = 4 flash_size Passed from bootloader = 4 CPU revision is: 00019374 (MIPS 24Kc) CPU revision is: 00019374 (MIPS 24Kc) Determined physical RAM map: Determined physical RAM map: memory: 02000000 @ 00000000 (usable) memory: 02000000 @ 00000000 (usable) User-defined physical RAM map: User-defined physical RAM map: memory: 02000000 @ 00000000 (usable) memory: 02000000 @ 00000000 (usable) Zone PFN ranges: Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node Movable start PFN for each Stock area node early_node_map[1] active PFN ranges early_node_map [1] active PFN ranges 0: 0x00000000 -> 0x00002000 0: 0x00000000 -> 0x00002000 Built 1 zonelists in Zone order, mobility grouping 049 on. Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Total pages: 8128 Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:128k(u050 boot),1024k(kernel),2816(rootfs),64k(config),64k(ART) mem=32M Kernel command line: console = ttyS0, 115200 root = 31:02 rootfstype = squashfs init = / sbin / init mtdparts = ar7240-nor0: 128k (u-boot), 1024k (kernel), 2816 (rootfs), 64k (config) , 64k (ART) mem = 32M PID hash table entries: 128 (order: 7, 512 bytes) PID hash table entries: 128 (order: 7, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Dentry hash table entries cached: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 64kB, VIPT, 4-way, 054 linesize 32 bytes. Primary Cache 64kB instruction, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, 055 linesize 32 bytes Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000000 Writing

ErrCtl register = 00000000 Readback ErrCtl register=00000000 ErrCtl readback register = 00000000 Memory: 29876k/32768k available (1884k kernel code, 058 2892k reserved, 521k data, 116k init, 0k highmem) Memory: 29876k/32768k available (1884k kernel code, 2892k reserved, 521k data, 116k init, 0k highmem) Hierarchical RCU implementation. Hierarchical RCU implementation. NR_IRQS:128 NR_IRQS: 128 plat_time_init: plat time init done plat_time_init: plat time init done Calibrating delay loop... Calibrating delay 062 loop ... 266.24 BogoMIPS (lpj=532480) 266.24 BogoMIPS (lpj = 532480) Mount-cache hash table entries: 512 Mountcache hash table entries: 512 NET: Registered protocol family 16 NET: Registered protocol family 16 ===== ar7240_platform_init: 0 Ar7240_platform_init =====: 0 066 067 Whoops! Whoops! This kernel is for product mr3020 v1.0! This product is for kernel v1.0 mr3020! 069 bio: create slab at 0 bio: create slab at 0 SCSI subsystem initialized SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new interface driver hub usbcore: registered new device driver usb usbcore: registered new device driver usb NET: Registered protocol family 2 NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) IP route caching hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP, established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP: Hash tables configured (established 1024 bind 1024) 080
style="direction: ltr; text-align: left">TCP reno registered TCP reno registered NET: Registered protocol family 1 NET: Registered protocol family 1 AR7240 GPIOC major 0 AR7240 GPIOC Staff 0 squashfs: version 4.0 (2009/01/31) Phillip Lougher squashfs: version 4.0 (2009/01/31) Phillip Lougher NTFS driver 2.1.29 [Flags: R/O]. NTFS driver 2.1.29 [Flags: R / O]. msgmni has been set to 58 msgmni has-been set to 58 alg: No test for lzma (lzma-generic) alg: No test for lzma (lzma-generic) alg: No test for stdrng (krng) alg: No test for stdrng (krng) io scheduler noop registered io scheduler noop registered io scheduler anticipatory registered io scheduler anticipatory registered io scheduler deadline registered io scheduler deadline registered io scheduler cfq registered (default) io scheduler cfq registered (default) Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled ttyS0: detected caps 00000000 should be 00000100 ttyS0: detected caps 00000000 00000100 shoulds be serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A console [ttyS0] enabled console [ttyS0] enabled PPP generic driver version 2.4.2 PPP generic driver version 2.4.2 NET: Registered protocol family 24 NET: Registered protocol family 24 cmdlinepart partition parsing not available cmdlinepart partition parsing not available set partition boot set boot partition set partition kernel kernel set partition 099

set partition rootfs set partition rootfs set partition config set partition config set partition art art set partition 104
style="direction: ltr; text-align: left">set partition ÿ set partition ÿ Searching for RedBoot partition table Searching for RedBoot partition table 5 RedBoot partitions found on MTD device ar7240nor0 5 RedBoot partitions found on MTD device ar7240-nor0 Creating 5 MTD partitions on "ar7240-nor0": Creating 5 MTD partitions on "ar7240-nor0" 0x000000000000-0x000000020000 : "boot" 0x000000000000-0x000000020000: "boot" 0x000000020000-0x000000120000 : "kernel" 0x000000020000-0x000000120000: "kernel" 0x000000120000-0x0000003e0000 : "rootfs" 0x0000003e0000-0x000000120000: "rootfs" 0x0000003e0000-0x0000003f0000 : "config" 0x0000003e0000-0x0000003f0000 "config" 0x0000003f0000-0x000000400000 : "art" 0x0000003f0000-0x000000400000: "art" ->Oops: flash id 0x10215 . -> Oops: flash id 0x10215. ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Port Status 1c000004 Port Status 1c000004 ar7240-ehci ar7240-ehci.0: ATH EHCI ar7240 ar7240-ehci-ehci.0: ATH EHCI ar7240-ehci ar7240-ehci.0: new USB bus registered, 117 assigned bus number 1 ar7240 ar7240-ehci-ehci.0: new USB bus registered, assigned bus number 1 ehci_reset Intialize USB CONTROLLER in host mode: 3 ehci_reset intialize USB CONTROLLER in host mode: 3 ehci_reset Port Status 1c000000 Port Status 1c000000 ehci_reset ar7240-ehci ar7240-ehci.0: irq 3, io mem 0x1b000000 ar7240 ar7240-ehci-ehci.0: irq 3, io mem 0x1b000000 ehci_reset Intialize USB CONTROLLER in host mode: 3 ehci_reset intialize USB CONTROLLER in host mode: 3 ehci_reset Port Status 1c000000 Port Status 1c000000 ehci_reset ar7240-ehci ar7240-ehci.0: USB 2.0 started, EHCI 1.00 ar7240 ar7240-ehci-ehci.0: USB 2.0 started, EHCI 1.00 usb usb1: configuration #1 chosen from 1 choice usb usb1: configuration # 1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected hub 1-0:1.0: 1 port detected 127

TCP cubic registered TCP cubic

registered NET: Registered protocol family 17 NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear 129 802.1Q VLAN Support v1.8 Ben Greear All bugs added by David S. All bugs added by 130 David S. Miller Miller ar7240wdt_init: Registering WDT success ar7240wdt_init: Registering WDT success VFS: Mounted root (squashfs filesystem) readonly on device 31:2. VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 116k freed Freeing unused kernel memory: 116k freed init started: BusyBox v1.01 (2012.01.16-03:21+0000) 134 multi-call binary init started: BusyBox v1.01 (2012.01.16-03:21 +0000) multi-call binary This Board use 2.6.31 This board uses 2.6.31 xt_time: kernel timezone is -0000 xt_time: kernel timezone is -0000 nf_conntrack version 0.5.0 (512 buckets, 5120 max) nf_conntrack version 0.5.0 (512 buckets, 5120 max) ip_tables: (C) 2000-2006 Netfilter Core Team ip_tables: (C) 2000-2006 Netfilter Core Team insmod: cannot open module 139 `/lib/modules/2.6.31/kernel/iptable_raw.ko': No such file or directory insmod: can not open module `/ lib/modules/2.6.31/kernel/iptable_raw.ko ': No such file or directory insmod: cannot open module 140 `/lib/modules/2.6.31/kernel/flashid.ko': No such file or directory insmod: can not open module `/ lib/modules/2.6.31/kernel/flashid.ko ': No such file or directory PPPoL2TP kernel driver, V1.0 PPPoL2TP kernel driver, V1.0 PPTP driver version 0.8.3 PPTP driver version 0.8.3 insmod: cannot open module 143 `/lib/modules/2.6.31/kernel/harmony.ko': No such file or directory insmod: can not open module `/ lib/modules/2.6.31/kernel/harmony.ko ': No such file or directory 144 (none) mips #199 Tue Mar 20 11:38:41 CST 2012 (none) (None) mips # 199 Tue Mar 20 11:38:41 CT 2012 (none) (none) login: Now flash open! (None) login: Now flash open! Now flash open! Now flash open! ATHR_GMAC: Length per segment 1536 ATHR_GMAC: Length per segment 1536 147

149

ATHR_GMAC: fifo cfg 3 01f00140 ATHR_GMAC:

fifo cfg 3 01f00140 ATHR_GMAC: Mac address for unit 1:bf1f0006 ATHR_GMAC: Mac address for unit 1: bf1f0006 ATHR_GMAC: 25:51:9d:db:e0:5c ATHR_GMAC: 25:51:9 d: db: e0: 5c ATHR_GMAC: Max segments per packet : 1 ATHR_GMAC: Max segments per packet: 1 ATHR_GMAC: Max tx descriptor count : 40 ATHR_GMAC: Max tx descriptor count: 40 ATHR_GMAC: Max rx descriptor count : 96 ATHR_GMAC: Max rx descriptor count: 96 ATHR_GMAC: Mac capability flags : 4D83 ATHR_GMAC: Mac capability flags: 4D83 ATHR_GMAC: Mac address for unit 0:bf1f0000 ATHR_GMAC: Mac address for unit 0: bf1f0000 ATHR_GMAC: 03:30:dc:d3:6e:49 ATHR_GMAC: 03:30: dc: d3: 6e: 49 ATHR_GMAC: Max segments per packet : 1 ATHR_GMAC: Max segments per packet: 1 ATHR_GMAC: Max tx descriptor count : 40 ATHR_GMAC: Max tx descriptor count: 40 ATHR_GMAC: Max rx descriptor count : 252 ATHR_GMAC: Max rx descriptor count: 252 ATHR_GMAC: Mac capability flags : 4403 ATHR_GMAC: Mac capability flags: 4403 athr_gmac_ring_alloc Allocated 640 at 0x81e7d800 athr_gmac_ring_alloc Allocated 640 at 0x81e7d800 athr_gmac_ring_alloc Allocated 4032 at 0x81d61000 Allocated 4032 at 0x81d61000 athr_gmac_ring_alloc Setting Drop CRC Errors, Pause Frames and Length Error frames Setting Drop CRC Errors, Pause Frames and Length Error Frames Setting PHY...mac 0 Setting PHY ... mac 0 athr_gmac_ring_alloc Allocated 640 at 0x81e7d400 athr_gmac_ring_alloc Allocated 640 at 0x81e7d400 athr_gmac_ring_alloc Allocated 1536 at 0x81f2b000 athr_gmac_ring_alloc Allocated 1536 at 0x81f2b000 athr_gmac_mii_setup: MDC check failed athr_gmac_mii_setup: MDC check failed Setting Drop CRC Errors, Pause Frames and Length Error frames Setting Drop CRC Errors, Pause Frames and Length Error Frames ATHRS26: resetting s26 ATHRS26: resetting s26 ATHRS26: s26 reset done ATHRS26: s26 reset done Setting PHY...mac 1 Setting PHY ... mac 1

device eth0 entered promiscuous mode Entered promiscuous mode device eth0 Now flash open! Now flash open! nf_conntrack_rtsp v0.6.21 loading nf_conntrack_rtsp v0.6.21 loading nf_nat_rtsp v0.6.21 loading nf_nat_rtsp v0.6.21 loading asf: module license 'Proprietary' taints kernel. asf: module license 'Proprietary' TINTING kernel. Disabling lock debugging due to kernel taint Disabling lock debugging due to kernel taint ath_hal: 0.9.17.1 (AR9380, DEBUG, REGOPS_FUNC, 179 WRITE_EEPROM, 11D) ath_hal: 0.9.17.1 (AR9380, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D) ath_rate_atheros: Copyright (c) 2001-2005 Atheros 180 Communications, Inc, All Rights Reserved ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc. All Rights Reserved ath_dev: Copyright (c) 2001-2007 Atheros 181 Communications, Inc, All Rights Reserved ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc. All Rights Reserved ath_ahb: 9.2.0_U5.508 (Atheros/multi-bss) ath_ahb: 9.2.0_U5.508 (Atheros / multi-bss) Boostrap clock 25MHz Bootstrap clock 25MHz ar9300RadioAttach: Need analog access recipe!! ar9300RadioAttach: Need access analog recipe! Restoring Cal data from Flash Restoring data from Cal Flash ath_get_caps[4735] rx chainmask mismatch actual 1 sc_chainmak 0 ath_get_caps [4735] rx chainmask mismatch actual 1 0 sc_chainmak ath_get_caps[4710] tx chainmask mismatch actual 1 sc_chainmak 0 ath_get_caps [4710] tx chainmask mismatch actual 1 0 sc_chainmak wifi0: Atheros 9380: mem=0xb8100000, irq=2 wifi0: Atheros 9380: mem = 0xb8100000, irq = 2 wlan_vap_create : enter. wlan_vap_create: enter. devhandle=0x80d202c0, opmode=IEEE80211_M_HOSTAP, flags=0x1 devhandle = 0x80d202c0, opmode IEEE80211_M_HOSTAP =, flags = 0x1 wlan_vap_create : exit. wlan_vap_create: exit. devhandle=0x80d202c0, opmode=IEEE80211_M_HOSTAP, flags=0x1. devhandle = 0x80d202c0, opmode IEEE80211_M_HOSTAP =, flags = 0x1. VAP device ath0 created VAP device ath0 created 192 DES SSID SET=TP-LINK_POCKET_3020_D6E207 DES SSID SET = TP-LINK_POCKET_3020_D6E207 194
style="direction: ltr; text-align: left">ieee80211_scan_unregister_event_handler: Failed to unregister evhandler=c0aeb860 arg=80c1aac0 ieee80211_scan_unregister_event_handler: Failed to unregister evhandler c0aeb860 = arg = 80c1aac0 wlan_vap_delete : enter. wlan_vap_delete: 195 enter. vaphandle=0x81eaa000 vaphandle = 0x81eaa000 wlan_vap_delete : exit. wlan_vap_delete: 196 exit. vaphandle=0x81eaa000 vaphandle = 0x81eaa000 wlan_vap_create : enter. wlan_vap_create: enter. devhandle=0x80d202c0, opmode=IEEE80211_M_HOSTAP, flags=0x1 devhandle = 0x80d202c0, opmode IEEE80211_M_HOSTAP =, flags = 0x1 wlan_vap_create : exit. wlan_vap_create: exit. devhandle=0x80d202c0, opmode=IEEE80211_M_HOSTAP, flags=0x1. devhandle = 0x80d202c0, opmode IEEE80211_M_HOSTAP =, flags = 0x1. VAP device ath0 created VAP device ath0 created 200 DES SSID SET=TP-LINK_POCKET_3020_D6E207 DES SSID SET = TP-LINK_POCKET_3020_D6E207 ieee80211_ioctl_siwmode: imr.ifm_active=393856, new 202 mode=3, valid=1 ieee80211_ioctl_siwmode: imr.ifm_active = 393856, new mode = 3, valid = 1 WARNING: Fragmentation with HT mode NOT ALLOWED!! WARNING: Fragmentation with HT fashion NOT ALLOWED! device ath0 entered promiscuous mode Entered promiscuous mode device ath0 br0: port 2(ath0) entering forwarding state br0: port 2 (ath0) Entering forwarding state ieee80211_ioctl_siwmode: imr.ifm_active=918144, new 206 mode=3, valid=1 ieee80211_ioctl_siwmode: imr.ifm_active = 918144, new mode = 3, valid = 1 br0: port 2(ath0) entering disabled state br0: port 2 (ath0) Entering disabled state 208 DES SSID SET=TP-LINK_POCKET_3020_D6E207 DES SSID SET = TP-LINK_POCKET_3020_D6E207 br0: port 2(ath0) entering forwarding state br0: port 2 (ath0) Entering forwarding state 211 TL-MR3020 mips #199 Tue Mar 20 11:38:41 CST 2012 (none) TL-MR3020 # 199 mips Tue Mar 20 11:38:41 CT 2012 (none) TL-MR3020 login: root TL-MR3020 login: root Password: 5up Password: 5up 215

Jan 1 00:01:13 login[150]: root login on

`ttyS0' January 1 0:01:13 login [150]: root login on `ttyS0 ' 216 217 218 BusyBox v1.01 (2012.01.16-03:21+0000) Built-in shell (msh) BusyBox v1.01 (2012.01.16-03:21 +0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. Enter 'help' for a list of built-in commands. 221 222

# help # Help

223 224

Built-in commands: Built-in commands:

------------------- ------------------ . . : break cd continue eval exec exit export help login newgrp : Break cd continue eval exec exit export help login newgrp read readonly set shift times trap umask wait read readonly set shift times trap umask wait 228 # cd /bin # Cd / bin # ls # Ls 229

busybox df kill msh sh busybox df msh kill sh cat echo login ping true ping echo true cat login chmod false ls ps umount ls ps umount chmod false date iptables-xml mount rm Date iptables-xml mount rm 235

# #

Default password for serial console: login = root password = 5up Default password for the web interface: login = admin password = admin Ps: I have not taken the time to look at the web interface based ... I just booted the router to make sure it worked and then immediately after I removed Next steps to take: - Compiling OpenWrt trunk for TL-MR3020 - Flash the new firmware - Update u-boot bootloader (though the original seems already up to date) - Boot the uImage and rootfs on a partition of the USB key

- Integration of the card with my arduino code BlyssSpoofer / BlyssSniffer - Implementation of a GUI html + cgi Bonus for the curious: Both sides of the pcb in high resolution

Good weekend and hack at all!

Share: • • • •

Twitter Facebook2 Google +1

"Skyduino landed on github! Editorial 29/09 "

Discussion 15 Responses to "[hack] TL-MR3020 + hack = OpenWRT USB / WiFi / Ethernet"

1.

Mmhh .. Project forward. Posted by Alex (@ venedesign) | September 23, 2012, 10 h 48 min Reply to this comment

2. Hello, I'm still your wonderful blog with attention, great job! Questions about the project, why not directly interface with which you Raspbery Pi permettera to have a web interface and interact directly with arduino via usb? Maybe I haven not quite understand the purpose of your interface with the wireless router, but I was able to do that with 2 arduino + Pi and it works pretty well! a+ Posted by tibo | September 24, 2012, 1 h 30 min Reply to this comment

o

Because it's cheating I prefer to use a 400MHz ARM linux kernel homemade, modified debian iso that I do not really know how. Posted by skywodd | September 24, 2012, 20 h 29 min Reply to this comment

3. Great project! I have the same router and I confess I use RBP to have a web interface and control the Arduino. The advantage is that your project you'll save probalement RBP and therefore if the project is embedded ca will make you save a lot in energy consol! To be continued! Published by vlp | September 24, 2012, 8 h 25 min Reply to this comment

o

Consolidated level is unbeatable, managing the power supply properly wifi chipset should be able to run the same mounting lipo battery for a long time. Posted by skywodd | September 24, 2012, 20 h 30 min Reply to this comment

4. Superb article, I'm impressed. I just (re) order * this router to use for a tablet more basic, but it makes me want to dig even that for the usb host with open wrt

* The first refurbished I received did not Posted by Joel | September 25, 2012, 22 h 58 min Reply to this comment

5. Hello great article For my part, I started a project based on an equivalent basis OpenRD Marvell I use this box in addition to NAS / firewall / router Posted by David | October 18, 2012, 13 h 49 min Reply to this comment

6. Skywood salvation, I find this post particularly interested in, I myself on one MR3020 lequelle I experimente, but only in software. I have installed openwrt version and I must say it makes me learn a lot about the administration of a network under linux, I spend a lot of time on the distribution site and I am determined to know clearly all subtlety this router. I also have a small question to answer if you know because in the configuration files of network interfaces by adding an option "option macadrr 'xx: xx: xx: xx: xx: xx' is supposed to be there and changed the mac address of wifi chipset slab but its not work ... On that after I read it that semblerais to change the mac address should rewrite the mtd4 which contains test and notement radio address in question, precisely, does not recommend you touch ... you need to say I burned with desire finally good if you know a little more I'd love to listen to your good advice before potentielement a big mistake, especially since I have no way to rewrite the flash. And if not when is write what you think the rest of the article?! Posted by karol | December 28, 2012, 23 h 54 min Reply to this comment

o

On >> after that I read that it semblerais to change the mac address should rewrite the mtd4 which contains test and notement radio address in question, precisely, does not recommend you touch ... If you made a backup of your bootloader mtd4 and is in good health you can try. But without knowing the proper data architecture config is little chance to do something functional (a checksum is surely some pars) ... Usually you can alter the MAC address at the bootloader (uboot), Linux kernel (macchanger) or hardware (by cons ... how I know). Especially >> I have no way to rewrite the flash. If the bootloader is alive you can always reflash a backup TFTP. Or with the tool if the linux mtd boot even after your changes. And if >> when is write what you think the rest of the article?! For now I know I put almost a month to compile custom OpenWRT image because full problem with my linux ... Now compile the kernel I'm trying to compile the latest version of uboot and throw everything on the router.

Posted by skywodd | December 29, 2012, 0 h 51 min Reply to this comment




thank you to respond as quickly is what you have links / books or any other documentation to advise me because you're a response, I realize that I am missing ... you're conaissances really comfortable with the handling of the genre: install a bootloader or use the mtd (this is a command asser obscure for me ...) PS: I is part of a community of computer security http://www.zenk-security.com/ there is more info but I focused mainly animates the category "electronic" forum. I invite you to come pay a visit; D (just to prove through some test to be reached in order to avoid anyone does come, but you ca is gifted and should not ask you to problem) was also on Rizon irc # Zenk-Security Posted by karol | December 29, 2012, 1 h 22 min




Is >> that you have links / books or any other documentation to advise me because you're a response, I realize that I lack knowledge ... Not really, I only look at doc / manuals and "how to" projects that I use. It is in English, but at least it is always up to date and (mostly) is very comprehensive. You're really a >> comfortable with handling like: install a bootloader or use the mtd (this is a command asser obscure for me ...) Really comfortable, not completely freak, yes I compile and flash without me I take the lead, in the worst case I know what I reflash by unsoldering the memory chip so good. At the "instinct as they say ^ ^ >> PS: I is part of a community of computer security http://www.zenk-security.com/ there is more info but I focused mainly animates the category "electronic" forum. I know, this is the forum with a kind of diode as logo ^ ^ I had seen pictures of your team on the website of the ndh (by the way I never have to go to the ndh ... sniff). Posted by skywodd | December 29, 2012, 22 h 21 min

7. I was just thinking that you was rather kind to draw the right information to the left for your projects, but sometimes it feel good to pick up a good book / doc reference and be guided by the expert. I should invest in gear type: programateur for microcontroller eeprom or give me a ca autonomy and can be faciliterai things to experiment myself .. I seemed to have read to you that your father was electronics, I guess it helps a little? In fact it is us! I never go either to the NDH .. but may be this year, who knows? I am of course with some members so maybe there is a way I tick. Regards Posted by karol | January 2, 2013, 16 h 56 min

Reply to this comment

o

I should >> invest in gear type: eeprom programmer for microcontrollers or give me a ca autonomy and can be faciliterai things to experiment myself .. I'm just a map and a bus pirate programmer Pocket April. Not need special gear well, most of the time I go tinkering that I need a card with arduino, arm or another. By cons by the end of the month I will take a digital oscilloscope (my old cuckoo analog hs), this is really a tool to tinker with hardware requirement. I seemed to have >> read you your father was electronics, I guess it helps a little? Yep, and I get to pick nice stuff at times. Posted by skywodd | January 2, 2013, 17 h 26 min Reply to this comment

Source : http://skyduino.wordpress.com/2012/09/22/hack-tl-mr3020-openwrt-bidouillage-usb-wifi-ethernet/