Updating Boot loader of your Router:: more robust boot loader!!

For Atheros or QCA/Atheros based routers the Boot loader is uboot. For Broadcom(cpu) based routers boot loader is CFE!!

Please note most people do not need to update their boot loader, as it got no functional purpose for them.  But professional router technician or Network Professionals it's a must.  What can be achieved with updated and more robust boot loaders,

1.  Can update or change MAC or Hardware address of the router in hand.
2.  You got httpd server embedded in them to flash openwrt or dd-wrt or update firmware with a more convenient web interface.
3. In some routers(older) if flash chip changed to 8 or 16 MB the older u-boot do not identify the new size of the chip, which is not intended result!!
4.  If flash chip changed to 8 or 16 MB chip then need to re-flash ART partition to the end of the newly installed flash chip with web interface, which is more convenient.
5. Overclock the router cpu to extract more power from the router!!
6. Some users report some routers u-boot got backdoors!!, though I cannot confirm it!!

Flashing u-Boot could potentially brick your router. please have serial console, or JTAG set up before hand to recover from any mistake or bad flash.  Also an external flash programmer may also be necessary.

But before proceeding further, you must know the SoC or CPU of your router.  As one must install boot loader specifically build for that SoC.  Here I'm interested in low cost qca953x based routers, which are Tp-link tl840v2 or v3, tl841v8/v9/v10/v11 or v12, tl850n/re etc Routers.  But if you know the processor or cpu then you can do similar things to other routers with other or more powerful SoC's. Also There are potetially 100's of cheap routers that use qca9531(with usb)/9533 processors that can use this mod!!

To Flash u-boot you need a working tftp server in your computer.  Connection must be made with your router from the computer directly with a UTP cable.  First try connect with the WAN port of your router if not then try any of the LAN port starting from the LAN1 port.

If you need help setup tftp server and how to go about connecting your router with your computer/pc, please follow the page containing "Flashing router with serial port...." here,

Flashing Router via Serial Port:: This is the Preferred way to flash Firmware of any router

In fact Flashing u-boot of a router with serial port/console is the same or similar.

First connect the Serial to USB converter such as cp2102 from your pc to the routers serial port and turn the router on. Then in the console window, check the environment variables containing the memory location of your "memory load address", with the command "printenv" and find something like below sent to your screen/monitor,

u-boot> printenv                                                             
bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mt)
bootcmd=bootm 0x9F020000                                                     
bootdelay=1                                                                   
baudrate=115200                                                               
autoload=no                                                                   
loadaddr=0x80800000
uboot_name=u-boot.bin                                                         
uboot_addr=0x9F000000
ethaddr=FC:05:6B:C2:34:CE                                                     
ethact=eth0                                                                   
bootfile=firmware.bin                                                         
serverip=192.168.100.100                                                         
netmask=255.255.255.0                                                     
ipaddr=192.168.100.10

In above we have set our serverip i.e. our computer's ip and ipaddr of the router with following command,

set serverip 192.168.100.100
set ipaddr 192.168.100.10

Note, in our computer we have set it's ip address to 192.168.100.100 with netmask 255.255.255.0 and gateway as 192.168.100.10, Above all process described in here : Flashing router with serial port

Now about u-boot, It resides in the First 0x20000 (128KB) of your flash memory chip. So make sure your intended u-boot binary image is 128kb or less in size.  If your u-boot size is 0x1ec00(123 KB), you must copy nearest multiple of 64KB in size, for us it's 2x64=128KB!!(0x20000)

Now, copy a compatible image/bin u-boot file to your tftp server directory,
If you are flashing a tl840/841 qca9533(cpu) based router it should be something like this,
u-boot_mod__tp-link_tl-wr841n_v9__20181017__git_master-7a540a78.bin (For qca9533-al3a)
u-boot_mod__tp-link_tl-wr841n_v10__20180223__git_master-7a540a78.bin(For qca9533-bl3a)
u-boot_mod__tp-link_tl-wr841n_v11__20180223__git_master-7a540a78.bin( same above)

rename above file to something small like u-boot-new.bin and copy to tftp server directory.

Now ping your server i.e. your computer from existing u-boot with ping 192.168.100.100, if says server exists or ping successful then use the following commands,

1. copy tftp image from your tftp server of computer 192.168.100.100 to your routers ram with the following command,

ap123> tftpboot 0x80800000 uboot-new.bin
eth1 link down
Using eth0 device
TFTP from server 192.168.100.100; our IP address is 192.168.100.10
Filename 'uboot-new.bin'.
Load address: 0x80800000
Loading: #########################
done
Bytes transferred = 125952 (1ec00 hex)

ap123>

2. Now erase the first 0x20000 KiB of flash space.  U-boot address is given in the 'printenv' command, so we erase,

ap123> erase 0x9F000000 +0x20000

First 0x0 last 0x1 sector size 0x10000
Erased 2 sectors

ap123>

3. Now your router do not have a bootloader, do not POWER DOWN the device/router.  Copy the flash image with following command to flash chip,

ap123> cp.b 0x80800000 0x9F000000 0x20000

Copy to Flash... write addr: 9f000000
done

If everything looks ok, then do,

4. ap123> reset

This will reset the board and boot new bootloader!!

If you are upgrading a 2 mb or 4 mb flash chip to 8MB or 16MB flash chip.  The process is simple.
1. First flash/install openwrt in the old chip, with original u-boot.
2. Backup u-boot and ART with openwrt with mtd or dd command see "Flashing with serial port page".
3. Flash u-boot to new Flash chip with an external programmer, can be done with ch341a or tl866ii programmer or others i.e. a respberry pie!!
4. Solder new chip to router and boot up to new u-boot.
5. Flash openwrt or your chosen os/firmware.
6. Flash ART from web interface of the pepe2k u-boot or use serial console just like flashing u-boot or openwrt or ddwrt etc.


We shall try posting CFE upload at a later date.