How to Unbrick TP-Link WiFi Router WR841ND using TFTP and Wireshark
Posted on Jan 20, 2018 in Hardware , Repair viewed 46.7K times
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� TP-Link WiFi Router WR841ND is a very popular router because of it’s price,
especially in my country. However this router is able to provide much more
features than the stock rmware has. One day I decided to make it more
powerful and feature-rich, furtermore I noticed message on the o cial tp-link
page about possibility to install a custom rmware on your own risk.
Therefore I decided to install the DD-WRT rmware. Here is one possible
usage of DD-WRT rmware.
I ashed the rmware successfully and everything seemed to work, but than
I recognized that I had to restore all settings (like port forwarding, mac
addresses binding and so on) manually. Fortunately, I had backed up the
con g le. But this binary le is suitable only for the stock rmware. I had no
time for exploring and parsing the binary le, so I decided to rollback in order
save my settings in a plain text le and than ash the DD-WRT rmware
again. I successfully rolled back, saved my settings, but while updating “web
ash rmware” in the DD-WRT web gui, something went wrong and my
router got bricked. The router started blinking all LEDS periodically, that is
also known as the Boot Loop. The router’s internal interface went up and
down periodically as well.
Is this the end?
Don’t worry if you bricked your router, there are a lot of ways to get it back to
life. Some of the mostly used methods are:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� 1. Communication over UART (TTL). In this case you need to disassemble
your router, solder some wires to the pins on the routers motherboard
and than you will be able to connect to the router over the UART
interface. This is usually done with USB<->TTL converter.
2. Using built-in TFTP auto-unbricker . Some routers have a built-in TFTP
client running and looking for a TFTP server in the local network to
download a rmware and debrick itself. This feature is usually provided
by U-boot.
I could easily solder some wires and connect router over UART, but I really
didn’t want to tear down my router, so I decided to use the second option.
Unbricking the router
All tutorials that you could nd on the Internet suggest to use constant IP
addresses like 192.168.0.68, generally it could be any address. It depends
on a boot rmware ashed to your router. Therefore, you should try each IP
address from the range from 192.168.0.2 to 192.168.0.68 until you nd a
proper one…. Furthermore, the router’s TFTP client will look for a le with
some hardcoded name, that could be different for every rmware. Of course
you shouldn’t try every possible combination, this article’s intention is to help
you nd exact parameters.
We will nd out exact IP address and le name using network sniffer –
Wireshark. Using Wireshark we can see everything that happens in our
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� network, all packets going back and forth. Here are the steps to unbrick the
router, that helped me.
1. Download Wireshark from the o cial site and install it.
2. Than run Wireshark select an Ethernet Adapter which you are going to
use for connecting the router via a UTP cable.
3. You should see an empty log list at rst.
4. Now its time to connect your router. Connect the UTP cable one side to
any LAN port (not WAN) on the router and other side should go to your
PC or laptop.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� 5. Power on the router after the cable is connected. You should see
packets appearing in the log list.
6. Clear the log list in Wireshark. Power off your router. Than hold the
WPS/Reset button and power it on. Keep holding the WPS/Reset
button for some time(about 10 seconds).
7. If you are lucky have done everything right you will see an ARP packet
like that.
1 19 1.389742 ba:be:fa:ce:08:41 Broadcast
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� As you can see from the line above in my case the router is looking for
192.168.0.66.
8. Let’s con gure our network interface to have the IP address that the
router is looking for.
9. Enter the IP address you got from the Wireshark and subnet mask
255.255.255.0.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Save settings.
10. Finally, we need to nd out what le name is the router looking for..
11. Start Wireshark again. Power On the router holding the WPS/Reset
button. Wait for a few seconds, you will see the log list growing. Look
for a TFTP packet (you can nd it by sorting the protocol column). You
should nd something like that
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� 1 159 7.304062 192.168.0.86 192.168.0.66 TFTP
12. This packet contains the le name the router is looking for. In this case
it is wr841nv8_tp_recovery.bin. There’s a little left to do now.
13. Next download the TFTP server, for example that one and install it.
14. Now you have to nd a recovery le for your router. Go to download
section and nd Firmware WITOUT Boot section, usually this is stated
in the le name or description. In my case I will use the OpenWRT
rmware downloaded from
https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/
the le name is openwrt-15.05-ar71xx-generic-tl-wr841n-v8-
squashfs-factory.bin
15. Rename the downloaded le to the value you got from TFTP packets, in
my case it is wr841nv8_tp_recovery.bin in my case. Run TFTPd as
administrator and select a proper IP address and directory where your
rmware is located.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� 16. Now power off the router. Connect it to you computer via the network
cable. Hold the WPS/Reset button and power it on. Wait until a
progress dialog appears. After that you will see progress in the TFTP
Server Tab and wait until it completes. Do not power off the router give
it some time to update rmware and boot up.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� I have tried to do this on several PCs. Firstly on a Windows 10 laptop, an
XP Laptop and the only machine that succeed to work was a Windows
7 desktop PC. It doesn’t depend on type of a computer, but mostly on
software installed (especially rewalls and anti-viruses software). So if
you have TFTP request from the router, but it doesn’t upload rmware
(you don’t see the progress dialog) then try to use another PC. You can
use any OS, a TFTP Server implementation is available for any OS
(macOS, Linux, Windows).
17. Finally reset your network adapter settings to Automatic or your
previous settings. After that you should be able to access the router’s
control Web UI as usual using browser (192.168.0.1).
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Conclusion
In this article I’ve shared my experience of debricking my router. The main
idea of the article is to show how the recovery process works under the hood
and how can you nd out the required IP address and le name, that your
sick router is looking for. Hope this article help you to x your router. If you
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� have any questions, please feel free to leave them below in the comments
section.
Alexander Molochko
Hi, my name is Molochko Alexander, I am Interested in different areas of software
development, curious about learning and discussing architectural and software patterns,
examining internals and understanding how everything works under the hood.
Recent posts Popular posts
Mar 1, 2020 Implementing Laravel cu… 84375 Views How to Install The Latest Ap…
Feb 16, 2019 Hacking Java Applicatio… 72808 Views Routing network tra c throu…
Jan 5, 2019 Page Speci c Dynamic A… 49338 Views Android Reverse Engineerin…
Oct 13, 2018 Understanding Dagger 2 … 46670 Views How to Unbrick TP-Link WiFi…
Jul 21, 2018 Understanding and using… 40216 Views Creating Custom Radio Gro…
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� SUBSCRIBE!
© CROSP Solutions 2017-2018. All rights reserved.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
