TD-W8951ND JTAG Port

I have a TD-W8951ND (v3.0) router, I was looking around for some way to flash it with OpenWRT of DD-Wrt, but to no avail, it appears that no-one has this router.

TD-W8951ND JTAG

Hook that up to a simple Serial to USB converter and you're in ! Upon booting the device, this is what's displayed:

Bootbase Version: VTC_SPI1.12 | 2010/09/09 13:41:30
RAM: Size = 16384 Kbytes
DRAM POST: Testing: 16384K
OK
Found SPI Flash 2MiB EN25F16 at 0xbfc00000
RAS Version: 3.0.1 Build 110721 Rel.33550
System   ID: $2.12.35.0(SRE9.D3)3.12.8.31 20110324_V001  | 2011/03/24

Press any key to enter debug mode within 3 seconds.
.................

This is what the normal boot sequence looks like:

The password requested at the end of the video is the admin password (admin by default), used to access the device's admin terminal, allowing you to change the configuration. It's the same terminal you can access via telnet (explored here: https://asciinema.org/a/38169)

What's more interesting is "Debug mode", giving access to raw memory, that you can upload and download using XModem

This blog article shows how to calculate the password that makes even more functions available, and how to use the memory download and upload functions to patch the device.

That will be the next step, extracting the firmware image, and finding a way to get a more hackable firmware on the device.