« Back to home

How I got DD-WRT running on an unsupported TP-LINK WR941ND v5 [+github code]

Posted on

I recently got a TP-LINK WR941ND v5, a cheap (I paid R$170 or US$54) router for domestic use. For the first days, the router worked pretty ok, but soon I ran into some problems in the factory's firmware: freezes, crashes, slow loadings, very limited configuration for routing and MAC Filters, etc.

Soon, I realized the solution was to install a custom firmware, like DD-WRT. I also had a WR841 v8, wich uses the same Atheros AR9341 platform and worked perfectly with DD. I thought it would be easy, like just downloading the firmware from DD's website, uploading, waiting and bla bla bla. I was wrong.

First, WR941 v5 isn't listed on DD-WRT official roms. It isn't officially supported, even in beta builds. I ran in circles trying to upload the WR841 v8 firmware to it (if it bricks, I could restore using the serial port and an Arduino; I did it sometime ago and could do again, if necessary).

But, for my deception, the setup wasn't accepting the file. Every time I tried, I got a new error. I tried changing filenames, dates, reseting, etc, nothing worked.

Ok, I had to let the forums help me in.

After some jumbled results from Google, I finally discovered the root cause: TP-LINK uses some HEX identifiers in the header of .bin firmwares to correctly identify the firmware, if it's compatible with the hardware it's been uploaded on and an especial MD5 checksum.

It turned out to be very simple: the header for WR841 v8 was 08 41 00 08. In other words, I had just to change it to 09 41 00 05, so my WR941 v5 could recognize it. Pretty simple, uh?

Not so fast.

Hexedit showing WR841v8's header.

Hexedit showing WR841v8's header.

Besides the model header, TP-LINK implemented a checksum header. The checksum is calculated excluding the rest of the file, so it's not a common checksum you can just check running md5sum on terminal.

Thankfully, people at DD-WRT had already ran with this issue and made a C++ program to overcome this limitation.

After compiling, getting the correct checksum and editing the file under hexedit, the upload was successful. I'm even now writing this text using my hacked router!

Hexedit, now showing the modified header for WR941.

To make things easier, I made a simple python script to automatically modify the 841v8 firmware and uploaded it to GitHub. The code is widely commented, so you can hack it and make any improvements.