This repository details how to install OpenWrt on a TP-Link Archer C900 (US). I've been through these steps and though it's worked for me, it might not work for everyone. My C900 is currently fully functional on OpenWrt.
I'm not responsible for turning your router into a toaster. You're following these instructions of your own accord. These instructions are not for the faint of heart -- they are geared towards guiding fairly technical users. If you don't understand what you're doing when you run these commands or tools, you probably shouldn't be attempting this.
This guide assumes you're running Linux and that you have a Go installation.
On relatively recent devices (including the Archer C900) TP-Link seems to have implemented some kind of firmware verification scheme that prevents the installation of third-party firmware. Curiously, The Archer C2 v3, the EU region equivalent of the C900, seems to have no such protection, even though the two devices are practically identical in terms of hardware.
This approach to installing OpenWrt doesn't involve attacking the firmware verification scheme head-on. Instead, it relies on gaining shell access to the device. While there is a dropbear server running on port 22 by default, it seems to have been modified to disable PTY and exec channels, i.e. to disallow running any commands. TP-Link seem to be using the server as an authentication mechanism for the API behind their mobile app, which SSH forwards into a service listening on the router's localhost.
Fortunately, it's possible to configure the dropbear server to again allow the execution of
commands. This functionality is unfortunately not exposed through the web interface or mobile app,
because that would be too easy. Instead, one has to modify the encrypted backup file. The keys for
said backup file are hardcoded into the device firmware. The backup file itself is a tar file,
compressed with Zlib and encrypted in AES-256-CBC mode (in that order.) Inside the tar file, the
configuration is compressed and encrypted in the same manner and stored in
ori-backup-user-config.bin. The configuration file itself is XML which might be a straight dump
from UCI (TP-Link bases their firmware off OpenWrt 12.09.) TP-Link configures dropbear from UCI
variables as well, so the goal would be to download a backup, unpack it, modify dropbear config
keys, repack, then restore the backup via the webui.
This repository contains all the necessary tools to unpack and repack the configuration
file. Download it or clone it, cd to the directory, and let's get started.
Before even extracting the files, we need to extract the backup encryption keys from the stock firmware.
dd if=stock.bin of=stock.squashfs bs=1 skip=1105537.unsquashfs stock.squashfs.
This should decompress the filesystem into ./squashfs-root.strings squashfs-root/usr/lib/lua/luci/model/crypto.lua. This should output a sizeable list of
strings. What you're looking for is two hexadecimal strings. One of them (the key) should be
significantly longer than any other string in the list. The other one (IV) is right after the key..encryption_params.sample into .encryption_params. Paste the key and the IV you found
into the appropriate places in .encryption_params.You should download the backup file from the router (the page to do so should be in System Tools ->
Backup and Restore). These instructions will assume that you have the backup in this directory that
the tools are in with a name of backup.bin.
extract.sh.data/config.xml. There should be a section in the file
that looks something like this:<dropbear name="dropbear">
<RootPasswordAuth>on</RootPasswordAuth>
<SysAccountLogin>off</SysAccountLogin>
<Port>22</Port>
<PasswordAuth>on</PasswordAuth>
</dropbear><RemoteSSH>on</RemoteSSH>. Admire your handiwork and save the file.package.sh. You should now have a backup_final.bin file.backup_final.bin, on the same page that you used to download the
backup. Needless to say, don't turn off your router. It should reboot normally.At this point, your router should be online again after the restore reboot. If nothing went wrong,
you should be able to ssh directly into the router as root with the password you set for the
webui.
ssh into your router if you haven't already: ssh root@<router_ip>. Verify that you're able to
get to a prompt. If not, something went wrong along the way.openwrt-ath79-generic-tplink_archer-c2-v3-squashfs-sysupgrade.bin. You can alternatively use
any custom sysupgrade image, just make sure it's compatible with the Archer C2 v3. Please make
sure that it's a sysupgrade image, otherwise you will brick your router while attempting the
following steps.cat openwrt-ath79-generic-tplink_archer-c2-v3-squashfs-sysupgrade.bin | ssh root@<router_ip> 'cat >/tmp/firmware.bin'. The image is now uploaded to /tmp/, in RAM.cat /proc/mtd. Your output should be similar to this:dev: size erasesize name
mtd0: 00020000 00010000 "factory-uboot"
mtd1: 00010000 00010000 "u-boot"
mtd2: 00100000 00010000 "kernel"
mtd3: 006a0000 00010000 "rootfs"
mtd4: 00010000 00010000 "ART"If your partition layout (the output from this command) is any different, do not continue.
mtd write /tmp/firmware.bin mtd2:mtd3. Verify that mtd2 and mtd3
correspond with kernel and rootfs, respectively. This overwrites the stock kernel and rootfs
with the OpenWrt image. OpenWrt's partitioning is different than stock, but that doesn't really
matter -- there really isn't a partition table on this specific device, it's hardcoded into the
kernel. As far as I understand it, as long as the offset that u-boot boots from is the same, the
new kernel will boot and understand the partition layout and everyone will be happy.mtd command finishes, type reboot to reboot the router.Happy hacking!