TP Link WDR3600 recovery without serial

For those of you that don't feel confident enough to solder a serial header or need to recover a router quickly without having to buy any extras i've found a quick and easy way to do so.
I found holding the reset button in and powering on the router attempts to download a recovery firmware from a tftp server, i've written some simple steps to allow this. 
1, Change your PC/Laptop ip address to 192.168.0.66
2, Connect you computer to one of the LAN ports on the router (WAN port won't work for this)
2, Setup a tftp server on your machine (I use solarwinds tftp server)
3, Put the desired firmware in your tftp folder and rename it to wdr3600v1_tp_recovery.bin
4, Start the tftp server
5, Hold down the WPS/Reset button on the router
6, Power on the router
7, After approximately 7 seconds release the reset button
8, The router will now download the firmware from your server and upgrade
Sit back and marvel at it's simplicity.
Here is the output seen via serial during this operation….
[code]U-Boot 1.1.4 (Sep  9 2013 – 14:28:41)
U-boot DB120
DRAM:  128 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment
PCIe Reset OK!!!!!!
In:    serial
Out:   serial
Err:   serial
Net:   ag934x_enet_initialize…
No valid address in Flash. Using fixed address
 wasp  reset mask:c03300
WASP  —-> S17 PHY *
: cfg1 0x7 cfg2 0x7114
eth0: ba:be:fa:ce:08:41
athrs17_reg_init: complete
eth0 up
eth0
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Filename 'wdr3600v1_tp_recovery.bin'.
Load address: 0x80060000
Loading: T T T T T #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ############################
done
Bytes transferred = 8126464 (7c0000 hex)
original_product_id = 36000001
 original_product_ver = 01
 recovery_product_id = 36000001
 recovery_product_ver = 01
 auto update firmware: product id verify sucess!
First 0x2 last 0x7d sector size 0x10000
 125
Erased 124 sectors
Copy to Flash… write addr: 9f020000
done
U-Boot 1.1.4 (Sep  9 2013 – 14:28:41)
U-boot DB120
DRAM:  128 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment
PCIe Reset OK!!!!!!
In:    serial
Out:   serial
Err:   serial
Net:   ag934x_enet_initialize…
No valid address in Flash. Using fixed address
 wasp  reset mask:c03300
WASP  —-> S17 PHY *
: cfg1 0x7 cfg2 0x7114
eth0: ba:be:fa:ce:08:41
athrs17_reg_init: complete
eth0 up
eth0
Autobooting in 1 seconds
## Booting image at 9f020000 …
   Uncompressing Kernel Image … OK
Starting kernel …
Booting Atheros AR934x
Linux version 2.6.31–LSDK-9.2.0_U6.616 (root@localhost.localdomain) (gcc version 4.3.3 (GCC) ) #1 Wed Mar 20 15:14:56 CST 2013
Ram size passed from bootloader =128M
flash_size passed from bootloader = 8
CPU revision is: 0001974c (MIPS 74Kc)
ath_sys_frequency: cpu srif ddr srif cpu 560 ddr 450 ahb 225
Determined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1024k(kernel),6912k(rootfs),64k(config),64k(ART) mem=128M
PID hash table entries: 512 (order: 9, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 112924k/131072k available (1852k kernel code, 17984k reserved, 428k data, 120k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop… 279.55 BogoMIPS (lpj=559104)
Mount-cache hash table entries: 512
****************ALLOC***********************
 Packet mem: 8026c4c0 (0xe00000 bytes)
********************************************
NET: Registered protocol family 16
PCI init:ath_pcibios_init
ath_pcibios_init(294): PCI CMD write: 0x356
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
pci 0000:00:00.0: PME# supported from D0 D1 D3hot
pci 0000:00:00.0: PME# disabled
Returning IRQ 64
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 220
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
PPP generic driver version 2.4.2
NET: Registered protocol family 24
5 cmdlinepart partitions found on MTD device ath-nor0
Creating 5 MTD partitions on "ath-nor0":
0x000000000000-0x000000020000 : "u-boot"
0x000000020000-0x000000120000 : "kernel"
0x000000120000-0x0000007e0000 : "rootfs"
0x0000007e0000-0x0000007f0000 : "config"
0x0000007f0000-0x000000800000 : "ART"
->Oops: flash id 0xef4017 .
—-TP IGMP has been init——
TCP cubic registered
NET: Registered protocol family 10
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
athwdt_init: Registering WDT success
ath_otp_init: Registering OTP success
ath_clksw_init: Registering Clock Switch Interface success
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 120k freed
init started:  BusyBox v1.01 (2013.02.27-07:39+0000) multi-call binary
This Board use 2.6.31
insmod: cannot open module `/lib/modules/2.6.31/kernel/x_tables.ko': No such file or directory
insmod: cannot open module `/lib/modules/2.6.31/kernel/xt_tcpudp.ko': No such file or directory
xt_time: kernel timezone is -0000
nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
ip_tables: (C) 2000-2006 Netfilter Core Team
insmod: cannot open module `/lib/modules/2.6.31/kernel/iptable_raw.ko': No such file or directory
insmod: cannot open module `/lib/modules/2.6.31/kernel/flashid.ko': No such file or directory
PPPoL2TP kernel driver, V1.0
PPTP driver version 0.8.3
insmod: cannot open module `/lib/modules/2.6.31/kernel/harmony.ko': No such file or directory
 (none) mips #1 Wed Mar 20 15:14:56 CST 2013 (none)
(none) login: Now flash open!
Now flash open!
Now flash open!
Now flash open!
Now flash open!
Erase from 0X7E0000 to 0X7EFC80:.
Program from 0X7E0000 to 0X7EFC80:
write successfully
Now flash open!
Now flash open!
Erase from 0X7E0000 to 0X7EFC80:.
Program from 0X7E0000 to 0X7EFC80:
write successfully
Now flash open!
Erase from 0X7E0000 to 0X7EFC80:.
Program from 0X7E0000 to 0X7EFC80:
write successfully
ATHR_GMAC: Length per segment 1536
ATHR_GMAC: fifo cfg 3 01f00140
ATHR_GMAC: RX TASKLET – Pkts per Intr:100
ATHR_GMAC: Mac address for unit 0:bfff0000
ATHR_GMAC: ff:ff:ff:ff:ff:ff
ATHR_GMAC: Max segments per packet :   1
ATHR_GMAC: Max tx descriptor count :   128
ATHR_GMAC: Max rx descriptor count :   128
ATHR_GMAC: Mac capability flags    :   2381
athr_gmac_ring_alloc Allocated 2048 at 0x87af3000
athr_gmac_ring_alloc Allocated 2048 at 0x87a6f800
WASP  —-> S17 PHY *
Setting Drop CRC Errors, Pause Frames and Length Error frames
Hello, nat module!
thread: napt_ct_scan create success pid:108
netlink_kernel_create succeeded at tp_rule_nl_prot: [29]
isis_ip_intf_entry_add id[0] for vid[1]
isis_ip_intf_entry_add id[1] for vid[2]
ACL(Index 0) For packet From Wan Port and TTL is zero
ACL is not yet enabled. Enabling…
ACL Rule(Index 2) For UDP with Zero Checksum
######## S17 SSDK init succeeded! ########
++++ athrs17_igmp_setup once
athrs17_reg_init:done
Setting PHY…
napt_ct_scan_thread: time: 4
ADDRCONF(NETDEV_UP): eth0: link is not ready
device eth0.1 entered promiscuous mode
device eth0 entered promiscuous mode
Now flash open!
Receive unknown msgType:10 at isis_nat_helper.2631.c:2930/tp_rule_netlink()!
isis_ip_intf_entry_add id[1] for vid[2]
br0: port 1(eth0.1) entering forwarding state
ACL Rule(Index 1) For Packet From WAN to LAN Port And DIP is in lan net
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
Enet:0 port4 up
ATH_MAC_TIMER: enet unit:0 is up…
RGMii 1000Mbps full duplex
ATH_MAC_TIMER: done cfg2 0x7215 ifctl 0x0 miictrl
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
asf: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 0.9.17..1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_ahb: 9.2..0_U10.1020 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
Restoring Cal data from Flash
dfs_attach: use DFS enhancements
DFS min filter rssiThresh = 18
DFS max pulse dur = 151 ticks
ath_get_caps[5108] rx chainmask mismatch actual 3 sc_chainmak 0
ath_get_caps[5083] tx chainmask mismatch actual 3 sc_chainmak 0
SC Callback Registration for wifi0
wifi0: Atheros 9340: mem=0xb8100000, irq=2
ath_pci: 9.2.0_U10.1020 (Atheros/multi-bss)
__ath_attach: Set global_scn[1]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
Restoring Cal data from Flash
dfs_attach: use DFS enhancements
DFS min filter rssiThresh = 18
DFS max pulse dur = 151 ticks
ath_get_caps[5108] rx chainmask mismatch actual 3 sc_chainmak 0
ath_get_caps[5083] tx chainmask mismatch actual 3 sc_chainmak 0
SC Callback Registration for wifi1
wifi1: Atheros 9580: mem=0x10000000, irq=64 hw_base=0xb0000000
wlan_vap_create : enter. devhandle=0x87bd82c0, opmode=IEEE80211_M_HOSTAP, flags=0x1
wlan_vap_create : exit. devhandle=0x87bd82c0, opmode=IEEE80211_M_HOSTAP, flags=0x1.
VAP device ath0 created
 DES SSID SET=TP-LINK_2.4GHz_B69685
 ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
device ath0 entered promiscuous mode
br0: port 2(ath0) entering forwarding state
 ieee80211_ioctl_siwmode: imr.ifm_active=1442432, new mode=3, valid=1
br0: port 2(ath0) entering disabled state
 DES SSID SET=TP-LINK_2.4GHz_B69685
br0: port 2(ath0) entering forwarding state
br0: port 2(ath0) entering disabled state
br0: starting userspace STP failed, starting kernel STP
br0: topology change detected, propagating
br0: port 2(ath0) entering forwarding state
wlan_vap_create : enter. devhandle=0x86c802c0, opmode=IEEE80211_M_HOSTAP, flags=0x1
wlan_vap_create : exit. devhandle=0x86c802c0, opmode=IEEE80211_M_HOSTAP, flags=0x1.
VAP device ath1 created
 DES SSID SET=TP-LINK_5GHz_B69686
 ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
Found best 11na chan: 44
br0: port 1(eth0.1) entering disabled state
br0: topology change detected, propagating
br0: port 1(eth0.1) entering forwarding state
device ath1 entered promiscuous mode
br0: topology change detected, propagating
br0: port 3(ath1) entering forwarding state
 ieee80211_ioctl_siwmode: imr.ifm_active=852608, new mode=3, valid=1
br0: port 3(ath1) entering disabled state
 DES SSID SET=TP-LINK_5GHz_B69686
br0: topology change detected, propagating
br0: port 3(ath1) entering forwarding state
br0: port 3(ath1) entering disabled state
br0: topology change detected, propagating
br0: port 3(ath1) entering forwarding state
fuse init (API version 7.12)
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Port Status 1c000004
ath-ehci ath-ehci.0: ATH EHCI
ath-ehci ath-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci ath-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci ath-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
SCSI subsystem initialized
usb 1-1: new high speed USB device using ath-ehci and address 2
usb 1-1: configuration #1 chosen from 1 choice
hub 1-1:1.0: USB hub found
hub 1-1:1.0: 4 ports detected
Initializing USB Mass Storage driver…
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
 GPL NetUSB up!
kc   86 : run_telnetDBGDServer start
kc  223 : init_DebugD end
INFO1758: NetUSB 1.184, 0002061F : May  7 2012 10:36:59
INFO175A:  AUTH ISOC
INFO175B:
usbcore: registered new interface driver KC NetUSB General Driver
INFO0076:  init proc : PAGE_SIZE 4096
INFO17B4: Check mac address
INFO162C:  infomap 8654c220
INFO162F:  sleep to wait br0 to wake up
INFO02D0:  use dev Name br0
INFO1638:  sleep to wait br0 end.
INFO1651:  UDP_BROAD 7437 tcpPort:625868800
INFO02D0:  use dev Name br0
INFO1538: tcpConnector() started…
TP_RULE_NAT:enable hardware nat
IPv6 over IPv4 tunneling driver
(tp_mroute_enable_write)140, tp_mroute_enable = 1
INFO1415: Bind to br0[/code]

26 Responses to TP Link WDR3600 recovery without serial

  • mike run

    Replied on: November 10, 2014, 08:12

    Unfortunately, on my 3600 the above method does not work, so I guess I’ll have to do via serial (for the moment I am ordering this here: “PL2303HX – Modular converter cable, USB to TTL to UART, RS232 COM”).

  • brian

    Replied on: November 10, 2014, 08:22

    Hi Mike, are you using solarwinds tftp server? does it show anything in the log? have you set your pc to the correct static ip and using a lan port on the router?

    • mike run

      Replied on: November 10, 2014, 09:43

      Hello Brian, as tftp server I used “Tftpd64”, since I had already installed a long time; regarding IP and the rest I did as the guide, but in the server log tftp nothing appears (I have obviously set is the right folder where I put the firmware is set to the LAN where to listen). maybe now I try to do it with the TFTP server specified in the guide.

      • mike run

        Replied on: November 10, 2014, 09:59

        nothing to do, even using solarwinds tftp server can not solve 🙁 I guess I’ll go for serial ..

  • brian

    Replied on: November 10, 2014, 10:05

    Try putting the router into recovery mode first then connecting the ethernet cable then start the tftp server. Have you got the firmware filename set to wdr3600v1_tp_recovery.bin. Try tcpdump/wireshark and you should see arp requests from the router.

    Full size http://www.theoutpost.org/wp-content/uploads/2014/11/wdr3600_recovery_wireshark.jpg

    • mike run

      Replied on: November 10, 2014, 10:32

      here is what appears on wireshark

      [URL=http://s1340.photobucket.com/user/tgaserver/media/3600/wireshark_zpsbddafbee.png.html][IMG]http://i1340.photobucket.com/albums/o728/tgaserver/3600/th_wireshark_zpsbddafbee.png[/IMG][/URL]

  • brian

    Replied on: November 10, 2014, 10:35

    link doesn’t work ‘Sorry, the requested page does not exist.
    Please check the URL for correct spelling and capitalization.’

  • mike run

    Replied on: November 10, 2014, 10:50

  • brian

    Replied on: November 10, 2014, 11:05

    Where mine says who has 192.168.0.66? (laptop) tell 192.168.0.86 (router) where yours says tell 0.0.0.0 . Also your router doesn’t appear to be in recovery mode? Try starting wireshark then hold down the wps/reset button on the router and power on, you should see the file request.

    • mike run

      Replied on: November 10, 2014, 12:23

      I did, but unfortunately, as you can see from the picture does not appear the request. keep in mind that before you brick your router I had the DD-WRT firmware as above; Therefore, I do not know if this makes a difference compared to other cases of brick

      this is the log from the start:

      https://www.dropbox.com/s/m1rnu5syi5fzzo2/wireshark%20log.pcapng?dl=0

  • brian

    Replied on: November 10, 2014, 12:35

    Ahh my recovery was from a router running stock firmware. I will have a look at the log. Did it brick during the initial flash from stock to ddwrt? Do you have a link to the image you used?

    • mike run

      Replied on: November 10, 2014, 12:57

      no days ago I successfully upgraded from stock firmware to DD-WRT v24 PreSP2 [Beta] Build 21061, but having some trouble every now and then with wifi (sometimes no longer appeared 2 networks wifi router) and having read around the forum that was resolved with r24461 I tried to do the upgrade via the web interface of DD-WRT, but something must have gone wrong because the restart I found myself with a bricked router; then the router can not be reached, much less respond to the ping, and so on.

      both firmware I had taken from the official website of DD-WRT, the first time I used what is called: factory-to-ddwrt.bin

  • brian

    Replied on: November 11, 2014, 09:18

    I’ve flashed from stock to DD-WRT v24-sp2 (03/25/13) std – build 21061 (factory-to-ddwrt.bin), when pressing the reset button on power on I was able to use the recovery method to go back to stock. I then reupgraded to 21061 then upgraded via the gui to DD-WRT v24-sp2 (06/23/14) std – build 24461 then went back to stock using my revoery method. Do you have any firewalls running? if so disable them as they may be blocking tftp.

    • mike run

      Replied on: November 11, 2014, 09:34

      then we say that the only attempt I can do is to try using a serial or say even that I could solve?

      • brian

        Replied on: November 11, 2014, 09:42

        Yes try serial but seems strange that the recovery method is not working for you, have you tried it with firewall disabled?

        • mike run

          Replied on: November 11, 2014, 10:42

          I have the firewall of the antivirus included in the suite, but it always disabled while I proceeded with the test

  • brian

    Replied on: November 12, 2014, 20:34

    Let me know how you get on with the serial.

    • mike run

      Replied on: November 14, 2014, 21:34

      ok, the cable arrived yesterday, now I have to find the 3 pin connector and finally get some free time to put them to settle and do the rest.

      • brian

        Replied on: November 14, 2014, 22:04

        header pins can be bought in strips of 10 from ebay or an electronics component shop like maplins.

        • mike run

          Replied on: December 2, 2014, 16:47

          hello sorry for the delay in the response but after they got the pin to be welded, as they are not very handy with the soldering, I had to spend it all to a friend who gets along much better than me :), (by the way I it has also started a second router, tP-link WR1043ND v1.2 always with dd-wrt even there, however also in latter ‘I did do its welding pin). because I plan to never to the dd-wrt, but I would put on both routers “openwrt”, advise me to put before the original firmware of the tp-link router for 2 or I can already put us directly via the serial ‘openwrt ?.
          Another question, since I have two USB keys that do not use (1 2GB and 4GB one, it would put on WDR3600, while the 2GB on WR1043ND v.1.2) and I read through them that you can bypass the problem of memory limits of these routers, always using OpenWRT; if you can you tell me the steps to do?

          thanks and sorry for the length of the response.

        • mike run

          Replied on: December 2, 2014, 18:37

          oh I forgot I thought as a “version” of OpenWRT to use this:
          https://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/

          can fit?

        • mike run

          Replied on: December 3, 2014, 12:39

          in the meantime, I have resurrected both 2 router via serial and put on both the “version” of openwrt you that I indicated yesterday, also I have already connected the two keys that I said, (I have done nothing for the moment)

          • brian

            Replied on: December 9, 2014, 19:12

            Hi Mike, how have things been going on the openwrt front? I haven’t done the usb flash memory thing, have you got any further with it or do you want me to have a go at it?

  • Big Dummy

    Replied on: April 11, 2016, 14:37

    Still works with a TL-WR940Nv3

    Thanks, I about had a heart attack before I saw this!

  • Gerry

    Replied on: April 18, 2016, 17:14

    Hi,
    I followed the instructions, uploaded the latest firware by TFTP but then I am stuck in a boot loop.
    Somehow , from what I can see, it is stuck in recovery mode even though I rebooted etc …,
    any idea?

    • brian

      Replied on: April 18, 2016, 18:49

      Hi Gerry did you give enought time for the upgrade to complete before you rebooted it? have you tried doing the upgrade again? Make sure you are using the correct device/hardware version firmware.

Leave a Reply

Your email address will not be published. Required fields are marked *