U-Boot mod for routers with AR9331

Introduction
There exists a modification to the bootloader of certain routers that makes it essentially
unbrickable. This modification adds a Web Gui to the bootloader that is selectable during router
bootup. From this Gui you can upload a new firmware image to the router even if the current
image does not work.
This allows you to recover from a bad image or a situation that, in normal circumstances, would
require a serial connection to the router.
The project that created this modification is located at https://github.com/pepe2k/u-boot_mod
and an OpenWRT thread about it is at https://forum.openwrt.org/viewtopic.php?id=43237
In this tutorial we will show you how to make the modifications to the bootloader using a
special version of OpenWRT and using an Ethernet connection.
The routers that can have this modification done to them :
Make
DLink
TP-Link

Model
Dir505A1
MR10Uv1
MR13Uv1
MR3020v1
MR3040v1 and v2
MR3220v2
MR3600/4300/4310
WR703N
WR710Nv1
WR720Nv3
WR740Nv4/741Nv4

Background
A router uses a special type of memory to hold the programs and data needed for it to run. This
is called Flash or Nonvolatile (NV) memory. This memory can be written to and read from and
will retain its contents even when the power is removed. It is very similar to the memory in a
USB memory stick.
This memory is laid out in sections, with each section containing different parts of the routers
programs and data. One section, called the u-boot section, contains the program, and its data,
which is run when the router is first powered up.
This is the same as a computers BIOS and it initializes the hardware and prepares things so the
actual router firmware can be executed.
It is possible to upgrade this program to add new features which are not present in the factory
bootloader. That was the purpose of the U-Boot Project. The most valuable addition it made to
the bootloader program is a Web Gui that you can activate, using the routers reset button,
during the router boot process. Other features were also added but wont be looked at here.
To upgrade the bootloader we must simply change the program that is held in the u-boot
section of the Flash memory. We do this by overwriting the program currently in that section.

Warning
It is possible to brick your router doing this to the point that a special chip programmer is
needed to recover it.
Take care to follow every step in the procedure to ensure that this does not happen.
The procedure shown here was carried out on a TP-Link WR703Nv1.7 without issue but
The author of this text, and the presented version of U-Boot is not liable for any adverse effects
resulting from the application to on this website instructions, inability to upload or software
errors in the reporting software. The author has made every effort and tested the software
presented on these later in the devices, but does not guarantee that it will work properly on your
device.
What's more, you have been warned that the replacement of the Software U-Boot is a highly
dangerous operation and in the event of failure, your device will no longer start, and the only
way to restore it to operation of the program will flash with an external programmer.
All operations performed on the basis of the information contained therein are doing at your own
risk!

Requirements
Several programs are required in order to make the modifications to the bootloader. None of
these require great skill and should be within the reach of the average user.
The three programs needed are WinSCP, Putty and HxD.
WinSCP and Putty are used to access the Flash memory of the router and downloads and a
tutorial on their use can be found at http://www.ofmodemsandmen.com/winscp.html
HxD is a freeware Hex Editor and the program is included with this package in the Hex Editor
folder. Run the program in that folder and install HxD on your computer.

Flashing the Router

In order to to modify the u-boot section of memory it is necessary to flash the router with a
special version of OpenWRT. The reason for this is that, in normal OpenWRT, the u-boot
memory section is read-only and cannot be modified. This special image removes that
restriction.
Open the Routers folder in this package and look in the folder that matches your router model.
In that folder you will find a file named openwrt-special-xxxxxx.bin that is the special version of
OpenWRT needed for this procedure.
Flash your router with this image using the normal methods. Go to the routers web interface
and set the router password so that it is possible to use Putty and WinSCP with the router.

Updating the Bootloader

Because the u-boot section of Flash memory contains both the bootloader and data specific to
your router we cannot just write the new bootloader program to it.
Instead, we must extract the entire u-boot section, modify the program part of the resulting file
and then write it back to the Flash memory again. This will preserve the router specific data
that is contained in that memory section. It also allows us to back up the old bootloader in case
we wish to revert back to it at a future date.

Extracting the U-Boot memory Section

The first step required is to extract the entire u-boot memory section and place it in a file which
can be copied from the router to our computer.
To do this we will use Putty and WinSCP.
Use Putty to log in to the command line of the router, using the password you set previously.
To find out which memory section contains the bootloader, enter the following command.
cat /proc/mtd
You will get something like the following as a response.
dev:
mtd0:
mtd1:
mtd2:
mtd3:
mtd4:
mtd5:

size
00020000
000feba0
002d1460
00100000
00010000
003d0000

erasesize name
00010000 "u-boot"
00010000 "kernel"
00010000 "rootfs"
00010000 "rootfs_data"
00010000 "art"
00010000 "firmware"

We are interested in the section named u-boot and need to know which dev it is. In this
case, and in most (all?) cases, the dev will be mtd0.
Now that we know the dev enter the following at the command line.
cat /dev/mtd0 > /tmp/uboot_backup.bin

If your u-boot section is a different dev then replace the mtd0 with the correct one.
This extracts the u-boot memory section and places it in a file called uboot_backup.bin in the
routers /tmp folder.
Now use WinSCP to copy that file from the /tmp folder to a folder on your computer. You have
successfully extracted the U-Boot Memory section from the router.
Update the Bootloader
Before proceeding any further copy the uboot_backup.bin file to a safe location on your
computer just in case you wish to restore the original bootloader or you make a mistake
modifying it.
In this package, go to the Routers folder and, in the folder that matches your router model,
copy the uboot_for_xxxx.bin file to the same folder as the uboot_backup.bin file.

Run the HxD hex editor and open both of these files in it.

Select the uboot_for_xxxx.bin tab. Select all of the file using Ctrl-A and copy it using Ctrl-C. This
file is 64K in length.
Now, select the uboot_backup.bin tab and place the cursor at the first byte of the file. This file
is 128K in length.

Select Edit->Paste Write. The 64K bytes of the uboot_for_xxxx.bin file will replace the first 64K
bytes of the uboot_backup.bin file. This replaces the bootloader program in the file but leaves
the router specific data in the second 64K alone.
Select File->Save As and save the file as uboot_mod.bin.
You have now updated the bootloader file to the modified version.

Write the Bootloader

The last step is to write the modified bootloader file to the u-boot memory section on the
router.
Use WinSCP to copy the uboot_mod.bin file to the /tmp folder on the router.
Run Putty and go to the router command line with it. Type the following.
mtd r write /tmp/uboot_mod.bin u-boot
You will see this as a response if everything works.
Unlocking u-boot ...
Writing from uboot_mod.bin to u-boot ...
The bootloader has been updated and you can now reboot your router.

Bootloader Web GUI

To access the Web GUI of the bootloader, unplug the routers power.
Hold in the routers reset button and plug the power back in.
The routers power light will flash and then start to blink once per second. Release the reset
button after 4 blinks (4 seconds). The power light will then blink rapidly for 2 seconds.
Use your browser to go to 192.168.1.1. You will see the following page.

Use the Browse button to select the firmware image you wish to flash to the router and the
Update Firmware button do the flashing.
Warning
No checking is done to see if the image you select is correct for the router. Be sure that you
select an image that is compatible with your router.

Conclusion
By modifying the router bootloader you have made it very difficult to brick your router. Even if
the image you flash to the router is faulty you can always activate the Bootloader Web Gui and
flash to a working image.
If the image you flashed refuses to start or crashes during execution the Bootloader Web Gui
should automatically start, giving you a chance to reflash and fix the problem. If it doesnt, you
can use the reset button to activate it.