No big post. Because of the interest in reverse engineering these things I ripped mine apart and took some photos. So I’m sharing those here.
The only thing of note I can mention here is the 4 unpopulated pads that look suspiciously like a serial or UART header.
I had intended to raid this, but I can’t seem to locate my serial/UART adaptor and I killed my RPi with some careless power drilling. So, no firmware break and enter for you unfortunately.
Let me know if you manage to take a peek though.
Otherwise, here’s the world’s shittiest teardown for you.
1 screw under the serial number sticker, 2 in the back of the thing. Then it’s all poptabs from there. I’ve got 2 of these and didn’t intend on putting this back together, so I just grabbed a screw driver and pried it open with all the care this locked down piece of “just good enough for our customers ” hardware deserves. It’s never getting it’s case back after the things I did to it.
No flash rom to tap into here, it’s a Broadcom system on chip it seems. I couldn’t find a data sheet in the 3 mins I spent looking, but even if I did I would have started with that sus looking port to the bottom right of the heatsink footprint.
If there’s something similar on the version 2, I dare say that’s out way in to getting some juicy config or a firmware dump.
Pro tip: if you hold the WPS button down on power up, some TP-Link hardware boots into a maintenance or flash mode. So might be worth a shot.
Anyway have fun.
2 comments on “So I tore apart my Archer VR1600v” Add yours →
According to a reddit thread
it’s based on the BCM63168
Check out the openwrt page on this SoC family: