I have a TD-W8951ND (v3.0) router, I was looking around for some way to flash it with OpenWRT of DD-Wrt, but to no avail, it appears that no-one has this router.
Hook that up to a simple Serial to USB converter and you're in ! Upon booting the device, this is what's displayed:
Bootbase Version: VTC_SPI1.12 | 2010/09/09 13:41:30 RAM: Size = 16384 Kbytes DRAM POST: Testing: 16384K OK Found SPI Flash 2MiB EN25F16 at 0xbfc00000 RAS Version: 3.0.1 Build 110721 Rel.33550 System ID: $22.214.171.124(SRE9.D3)126.96.36.199 20110324_V001 | 2011/03/24 Press any key to enter debug mode within 3 seconds. .................
This is what the normal boot sequence looks like:
The password requested at the end of the video is the admin password (
admin by default), used to access the device's admin terminal, allowing you to change the configuration. It's the same terminal you can access via telnet (explored here: https://asciinema.org/a/38169)
What's more interesting is "Debug mode", giving access to raw memory, that you can upload and download using XModem
This blog article shows how to calculate the password that makes even more functions available, and how to use the memory download and upload functions to patch the device.
That will be the next step, extracting the firmware image, and finding a way to get a more hackable firmware on the device.