Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

How to recover a bricked D-LINK DAP-1360 wifi access point using TFTP and the TBS Bootloader?

by |Published

I have a D-LINK DAP-1360 WiFi access point (Hardware version F2) that seems to be bricked. I have terminal access through the RX and TX ports and via a screen session using the screen /dev/ttyACM0 115200 command.

Here are the commands that are available on the terminal I get from the RX/TX ports of the D-LINK DAP-1360:

RTL8196# ?
?       - alias for 'help'
base    - print or set address offset
booth   - boot kernel from host
bootm   - boot application image from memory
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
erase   - erase FLASH memory
flinfo  - print FLASH memory information
flitem  - print item information on FLASH memory
go      - start application at address 'addr'
help    - print online help
ifcfg   - Set the Ethernet interface up or down
loadb   - load binary file over serial line (kermit mode)
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing)
modify_sysc    - sysc modify
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
protect - enable or disable FLASH write protection
reg     - read[write] register at address 'addr'
reset   - Perform RESET of the CPU
saveb   - download BIN image via network using TFTP protocol and save it to flash
saves   - save image file over serial line (kermit mode)
savet   - download IMG image via network using TFTP protocol and save it to flash
tftp    - download image via network using TFTP protocol
unlzma  - decompress code with LZMADecoder
version - print monitor version
RTL8196#

I have attempted to update the firmware using the ‘savet’ command to transfer the original firmware from a tftp server to the device but without success.

RTL8196# savet 192.168.1.2 dap612_03.img
TFTP from server 192.168.1.2; our IP address is 192.168.1.1
Filename 'dap612_03.img'.
Load address: 0x80001000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ################################################################
done
Bytes transferred = 3654824 (37c4a8 hex)
Erasing ........................................................
Burning .......................................................
Done

System update completely! Restarting system!

Booting...


TBS bootloader V1.0 (Dec 13 2018 - 16:29:10)

DRAM:  32 MB
Flash:  4 MB
The config data has lost!
Can't get system configuration.Use default vlaue.
init ehternet...
IP: 192.168.1.1 MAC: 00:02:03:04:05:06
IN: eth_init...
Hit Space or Enter key to stop autoboot:  0 
out : abortboot
Can't found system configuration! Please use "bootm addr" command.
IN: eth_init...
RTL8196#

The original firmware version for the hardware version I have is the DAP-1360_fw_revf_612eub03_EU_en_20181211.zip that can be downloaded here, and the latest version if available here. I have tried other versions of the firmware but without success.

The bootm command fails:

RTL8196# bootm 0x80001000
##failed!

The output of the flinfo command is:

RTL8196# flinfo

Bank # 1:   Spi flash ID: 0xef4016
  Size: 4 MB in 64 Sectors
  Sector Start Addresses:
    BFC00000      BFC10000      BFC20000      BFC30000      BFC40000     
    BFC50000      BFC60000      BFC70000      BFC80000      BFC90000     
    BFCA0000      BFCB0000      BFCC0000      BFCD0000      BFCE0000     
    BFCF0000      BFD00000      BFD10000      BFD20000      BFD30000     
    BFD40000      BFD50000      BFD60000      BFD70000      BFD80000     
    BFD90000      BFDA0000      BFDB0000      BFDC0000      BFDD0000     
    BFDE0000      BFDF0000      BFE00000      BFE10000      BFE20000     
    BFE30000      BFE40000      BFE50000      BFE60000      BFE70000     
    BFE80000      BFE90000      BFEA0000      BFEB0000      BFEC0000     
    BFED0000      BFEE0000      BFEF0000      BFF00000      BFF10000     
    BFF20000      BFF30000      BFF40000      BFF50000      BFF60000     
    BFF70000      BFF80000      BFF90000      BFFA0000      BFFB0000     
    BFFC0000      BFFD0000      BFFE0000      BFFF0000

The output of the flitem command is:

RTL8196# flitem

Dump part 0:
Item tbs_app_cfg locate at 0xbfc10002, length=0x11, flag=00, CRC=OK
Item llconfig locate at 0xbfc10018, length=0xf1, flag=00, CRC=OK
Item tbs_app_cfg locate at 0xbfc1010e, length=0x11, flag=00, CRC=OK
Item llconfig locate at 0xbfc10124, length=0xf1, flag=00, CRC=OK
Item tbs_app_cfg locate at 0xbfc1021a, length=0x11, flag=00, CRC=OK
Item llconfig locate at 0xbfc10230, length=0xf1, flag=00, CRC=OK
Item tbs_app_cfg locate at 0xbfc10326, length=0x11, flag=00, CRC=OK
Item llconfig locate at 0xbfc1033c, length=0xf1, flag=00, CRC=OK
Item tbs_app_cfg locate at 0xbfc10432, length=0x11, flag=00, CRC=OK
Item llconfig locate at 0xbfc10448, length=0xf1, flag=00, CRC=OK
Item tbs_app_cfg locate at 0xbfc1053e, length=0x11, flag=00, CRC=OK
Item llconfig locate at 0xbfc10554, length=0xf1, flag=00, CRC=OK
Item tbs_app_cfg locate at 0xbfc1064a, length=0x11, flag=11, CRC=OK
Item llconfig locate at 0xbfc10660, length=0xf1, flag=11, CRC=OK
Item �������������������� locate at 0xbfc10756, length=0xffff, flag=ff, CRC=BAD

Dump part 1:
Item �������������������� locate at 0xbfc20002, length=0xffff, flag=ff, CRC=BAD

The output of binwalk -e dap.img of the firmware gives the following files and directories:

$ ls -lah
total 9,7M
drwxrwxr-x  4  username  username 4,0K jul 24 00:40 .
drwxrwxr-x  3  username  username 4,0K jul 24 00:40 ..
-rw-rw-r--  1  username  username 2,4M jul 24 00:40 1174A4.squashfs
-rw-rw-r--  1  username  username 3,8M jul 24 00:40 A4
-rw-rw-r--  1  username  username 3,5M jul 24 00:40 A4.7z
drwxrwxr-x 13  username  username 4,0K jul 24 00:40 squashfs-root
drwxrwxr-x 13  username  username 4,0K jul 24 00:40 squashfs-root-0
$ cd squashfs-root
$ ls -lah
total 52K
drwxrwxr-x 13  username  username 4,0K jul 24 00:40 .
drwxrwxr-x  4  username  username 4,0K jul 24 00:40 ..
drwxrwxr-x  2  username  username 4,0K jan 14  2023 bin
drwxrwxr-x  5  username  username 4,0K jan 14  2023 dev
drwxrwxr-x  6  username  username 4,0K jan 14  2023 etc
drwxrwxr-x  3  username  username 4,0K jan 14  2023 lib
drwxrwxr-x  2  username  username 4,0K jan 14  2023 mnt
lrwxrwxrwx  1  username  username    3 jan 14  2023 pool -> var
drwxrwxr-x  2  username  username 4,0K jan 14  2023 proc
drwxrwxr-x  2  username  username 4,0K jan 14  2023 root
drwxrwxr-x  2  username  username 4,0K jan 14  2023 sbin
drwxrwxr-x  2  username  username 4,0K jan 14  2023 sys
lrwxrwxrwx  1  username  username    9 jul 24 00:40 tmp -> /dev/null
drwxrwxr-x  7  username  username 4,0K jan 14  2023 usr
drwxrwxr-x  2  username  username 4,0K jul 24 00:51 var
$ cd etc/
$ ls -lah
total 256K
drwxrwxr-x  6  username  username 4,0K jan 14  2023 .
drwxrwxr-x 13  username  username 4,0K jul 24 00:40 ..
drwxrwxr-x  2  username  username 4,0K jan 14  2023 ath
-rw-rw-r--  1  username  username  70K jan 14  2023 config_full.xml
-rwxrwxr-x  1  username  username  88K jan 14  2023 config.xml
lrwxrwxrwx  1  username  username   25 jan 14  2023 dhcp6c.conf -> ../var/dhcpv6/dhcp6c.conf
lrwxrwxrwx  1  username  username   25 jan 14  2023 dhcp6s.conf -> ../var/dhcpv6/dhcp6s.conf
lrwxrwxrwx  1  username  username   18 jan 14  2023 dproxy.conf -> ../var/dproxy.conf
-rwxrwxr-x  1  username  username  647 jan 14  2023 functions.sh
-rw-rw-r--  1  username  username   51 jan 14  2023 group
-rw-rw-r--  1  username  username   41 jan 14  2023 gshadow
-rw-rw-r--  1  username  username   17 jan 14  2023 host.conf
lrwxrwxrwx  1  username  username   12 jan 14  2023 hosts -> ../var/hosts
lrwxrwxrwx  1  username  username   21 jan 14  2023 igmpproxy.conf -> ../var/igmpproxy.conf
lrwxrwxrwx  1  username  username   17 jan 14  2023 inetd.conf -> ../var/inetd.conf
drwxrwxr-x  3  username  username 4,0K jan 14  2023 init.d
-rw-rw-r--  1  username  username   61 jan 14  2023 inittab
lrwxrwxrwx  1  username  username   15 jan 14  2023 iproute2 -> ../var/iproute2
lrwxrwxrwx  1  username  username   11 jan 14  2023 mtab -> ../var/mtab
-rw-rw-r--  1  username  username  130 jan 14  2023 passwd
-rwxrwxr-x  1  username  username  108 jan 14  2023 pc.ini
drwxrwxr-x  2  username  username 4,0K jul 24 00:40 ppp
lrwxrwxrwx  1  username  username   17 jan 14  2023 radvd.conf -> ../var/radvd.conf
lrwxrwxrwx  1  username  username   18 jan 14  2023 resolv.conf -> ../var/resolv.conf
-rw-rw-r--  1  username  username  164 jan 14  2023 services
-rw-rw-r--  1  username  username  235 jan 14  2023 shadow
lrwxrwxrwx  1  username  username   19 jan 14  2023 siproxd.conf -> ../var/siproxd.conf
-rwxrwxr-x  1  username  username  279 jan 14  2023 siproxd.tplt
lrwxrwxrwx  1  username  username   13 jan 14  2023 TZ -> ../var/tmp/TZ
lrwxrwxrwx  1  username  username   18 jan 14  2023 udhcpd.conf -> ../var/udhcpd.conf
lrwxrwxrwx  1  username  username   21 jan 14  2023 upnpd.conf -> ../var/miniupnpd.conf
-rw-rw-r--  1  username  username  30K jan 14  2023 var.tar
drwxrwxr-x  2  username  username 4,0K jan 14  2023 wps

You may also like