Almost 20 (OK, it’s only 17 or so) years ago I was dealing with WiFi access points and routers several times a week. There was always a pile of Linksys WRT54G or the Fonera devices which needed flashing or recovery on my desk. JTAG made it possible to bring some of them back to life.
I got an old TP-Link TL-WA901ND v4 from friend. The device was not using the default username/password combination that was printed on the label. OK, I could simply reset the device but was curious what I can get without credentials.
Removing two screws and a knife was needed to open the casing. Not much to see. Unpopulated headers…serial interface? JTAG? The OpenWRT wiki is a usually a good place to find information about a WiFi device. Unfortunately the pin layout is only documented for a different hardware version.
I was using a clone of an ARMFLY Mini-Logic which is a USB-based, 8-channel logic analyzer with up to 24 MHz sampling rate and sigrok‘s PulseView to get details. The interface of sigrok is straight-forwared. Simply add the logic analyser and a decoder (“Add protocol decoder”, choose “UART” and add the channel).
Power up the access point for a a couple of seconds and check the output from the logic analyser. By setting the cursors I was able to grab a time of 8.6 us which is approx. 116279. Thus the baud rate is 115200. No surprise here.
The OpenWRT wiki contains the password needed to access the device over serial and use the uBoot environment.
I will stop here because after this point I would only duplicate existing details.