Clicky

20190422

TP-Link Archer C7 v2.0 debrick

Yes, I bricked my TP-Link Archer C7 v2.0 (16MB flash memory). Even the 'normal' TFTP method did not work (with TFTP server IP address: 192.168.0.66).

That means, open the C7 case, soldering 3 pins for a (USB-RS232) console and observe the console output.

Rx, Tx and Ground pin soldered, and USB-RS232 adapter attached


The brick symptoms were:
- Repetitive rebooting of the router (every 20 seconds or so)
- The "System" LED (next to the Power LED) continue on

Once the console was active (I use TeraTerm, 115k2/8/1/n), I saw this error message. Something has gone wrong with the last firmware load:

---8< ----------------------------------------------------------------------------
..
..
[    0.900000] nvram size = 65536
[    0.950000] Atheros AR71xx hardware watchdog driver version 0.1.0
[    0.960000] ar71xx-wdt: timeout=15 secs (max=107) ref freq=40000000
[    0.980000] squashfs: SQUASHFS error: unable to read id index table
[    0.980000] List of all partitions:
[    0.990000] 1f00             128 mtdblock0  (driver?)
[    0.990000] 1f01           16128 mtdblock1  (driver?)
[    1.000000] 1f02            6852 mtdblock2  (driver?)
[    1.000000] 1f03            8256 mtdblock3  (driver?)
[    1.010000] 1f04              64 mtdblock4  (driver?)
[    1.010000] 1f05              64 mtdblock5  (driver?)
[    1.020000] 1f06           16384 mtdblock6  (driver?)
[    1.020000] 1f07             128 mtdblock7  (driver?)
[    1.030000] 1f08              64 mtdblock8  (driver?)
[    1.030000] No filesystem could mount root, tried:  squashfs
[    1.040000] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,2)

[    1.040000] Rebooting in 1 seconds..รพ 

---8< ---------------------------------------------------------------------------- 

To setup the recovery, we need to:

- Download a "known good" Archer C7 image (from the OpenWRT AC1750 webpage)

- Collect some data:
1. The TFTP server address (192.168.1.100)
2. The default TFTP image name (6F01A8C0.img)
3. The image size (0xf80000)
4. The "Load Address" (default, 0x81000000)
5. The final memory address (0x9f020000)

Setting up the TFTP server (the unsurpassed TFTP32 server) is easy:

TFTP32 setup. Note the renamed firware file

I connected the TFTP server directly to the LAN port 1 of the Archer C7.

To get a command prompt, you need to type tpl (maybe a couple of times) during the boot of the Archer C7. It will lead to a "ap135>" prompt.

Check the console output. Typed commands in RED, interesting values in GREEN.

---8< ----------------------------------------------------------------------------

U-Boot 1.1.4 (Apr 27 2016 - 10:19:42)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(178): (32bit) ddr2 init
ath_gmac_enet_initialize: reset mask:c02200
Scorpion  ----> S17 PHY *
Vlan config...
TEST: FINAL REG VAL after TX Calibration - 0x46000000
TEST: FINAL XMII VAL after RX Calibration - 0x56000000
TEST: FINAL ETH_CFG VAL after RX Calibration - 0x00028001
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7335
eth0: ba:be:fa:ce:08:41
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
eth1 up
eth0, eth1
Setting 0x18116290 to 0x58b1214f
Autobooting in 1 seconds

; Typing 'tpl' here quickly. Then you will get the 'ap135>' prompt...


ap135> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 init=/sbin/init mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),6336k(rootfs),1408k(uImage),8256k(mib0),64k(ART)
bootcmd=bootm 0x9f020000
bootdelay=1
baudrate=115200
ethaddr=0xba:0xbe:0xfa:0xce:0x08:0x41
ipaddr=192.168.1.111
serverip=192.168.1.100
dir=
lu=tftp 0x80060000 ${dir}u-boot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}ap135${bc}-jffs2&&erase 0x9f050000 +0x630000&&cp.b $fileaddr 0x9f050000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f680000 +$filesize&&cp.b $fileaddr 0x9f680000 $filesize
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 688/65532 bytes

ap135>
ap135> tftpboot
dup 1 speed 1000
*** Warning: no boot file name; using '6F01A8C0.img'
Using eth1 device
TFTP from server 192.168.1.100; our IP address is 192.168.1.111
Filename '6F01A8C0.img'.
Load address: 0x81000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #######################################################
done
Bytes transferred = 16252928 (f80000 hex)
ap135> erase 0x9f020000 +f80000
Erasing flash...
First 0x2 last 0xf9 sector size 0x10000
 249
Erased 248 sectors
ap135> cp.b 0x81000000 0x9f020000 0xf80000
Copy to Flash... write addr: 9f020000
done
ap135> reset



U-Boot 1.1.4 (Apr 27 2016 - 10:19:42)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(178): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

*** Warning *** : PCIe WLAN Module not found !!!
In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Scorpion  ----> S17 PHY *
Vlan config...
TEST: FINAL REG VAL after TX Calibration - 0x46000000
TEST: FINAL XMII VAL after RX Calibration - 0x56000000
TEST: FINAL ETH_CFG VAL after RX Calibration - 0x00028001
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7335
eth0: ba:be:fa:ce:08:41
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
eth1 up
eth0, eth1
Setting 0x18116290 to 0x58b1214f
Autobooting in 1 seconds
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Linux version 4.9.152 (buildbot@builds-03.infra.lede-project.org) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7549-217219e) ) #0 Mon Jan 28 08:54:32 2019
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[    0.000000] SoC: Qualcomm Atheros QCA9558 ver 1 rev 0
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line:  board=ARCHER-C7-V2  console=ttyS0,115200 rootfstype=squashfs noinitrd
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 125004K/131072K available (3388K kernel code, 175K rwdata, 448K rodata, 268K init, 211K bss, 6068K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.000000] Clocks: CPU:720.000MHz, DDR:600.000MHz, AHB:200.000MHz, Ref:40.000MHz
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 5309056796 ns
[    0.000008] sched_clock: 32 bits at 360MHz, resolution 2ns, wraps every 5965232126ns
[    0.008297] Calibrating delay loop... 358.80 BogoMIPS (lpj=1794048)
[    0.071187] pid_max: default: 32768 minimum: 301
[    0.076186] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.083231] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.092887] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.103385] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.110866] NET: Registered protocol family 16
[    0.116787] MIPS: machine is TP-LINK Archer C7
[    0.124600] ar724x-pci ar724x-pci.0: PCIe link is down
[    0.130102] registering PCI controller with io_map_base unset
[    0.136314] registering PCI controller with io_map_base unset
[    0.623010] Can't analyze schedule() prologue at 803ab684
[    0.637838] PCI host bridge to bus 0000:00
[    0.642205] pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff]
[    0.649551] pci_bus 0000:00: root bus resource [io  0x0000]
[    0.655479] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.662703] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.671240] PCI host bridge to bus 0000:01
[    0.675618] pci_bus 0000:01: root bus resource [mem 0x12000000-0x13ffffff]
[    0.682929] pci_bus 0000:01: root bus resource [io  0x0001]
[    0.688859] pci_bus 0000:01: root bus resource [??? 0x00000000 flags 0x0]
[    0.696075] pci_bus 0000:01: No busn resource found for root bus, will use [bus 01-ff]
[    0.704874] pci 0000:01:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit]
[    0.712667] pci 0000:01:00.0: BAR 6: assigned [mem 0x12200000-0x1220ffff pref]
[    0.720371] pci 0000:01:00.0: using irq 41 for pin 1
[    0.728355] clocksource: Switched to clocksource MIPS
[    0.734622] NET: Registered protocol family 2
[    0.740038] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.747457] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.754261] TCP: Hash tables configured (established 1024 bind 1024)
[    0.761103] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.767328] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.774231] NET: Registered protocol family 1
[    0.781155] Crashlog allocated RAM at address 0x3f00000
[    0.787592] workingset: timestamp_bits=30 max_order=15 bucket_order=0
[    0.800206] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.806406] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.824353] io scheduler noop registered
[    0.828559] io scheduler deadline registered (default)
[    0.834371] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.843343] console [ttyS0] disabled
[    0.867219] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 2500000) is a 16550A
[    0.876401] console [ttyS0] enabled
[    0.876401] console [ttyS0] enabled
[    0.883819] bootconsole [early0] disabled
[    0.883819] bootconsole [early0] disabled
[    0.897140] m25p80 spi0.0: found gd25q128, expected m25p80
[    0.904961] m25p80 spi0.0: gd25q128 (16384 Kbytes)
[    0.910308] 5 tp-link partitions found on MTD device spi0.0
[    0.915955] Creating 5 MTD partitions on "spi0.0":
[    0.920849] 0x000000000000-0x000000020000 : "u-boot"
[    0.927396] 0x000000020000-0x0000001703cc : "kernel"
[    0.934086] 0x0000001703cc-0x000000ff0000 : "rootfs"
[    0.940429] mtd: device 2 (rootfs) set to be root filesystem
[    0.946212] 1 squashfs-split partitions found on MTD device rootfs
[    0.952525] 0x000000400000-0x000000ff0000 : "rootfs_data"
[    0.959755] 0x000000ff0000-0x000001000000 : "art"
[    0.966160] 0x000000020000-0x000000ff0000 : "firmware"
[    0.973843] libphy: Fixed MDIO Bus: probed
[    0.991112] switch0: Atheros AR8327 rev. 4 switch registered on ag71xx-mdio.0
[    1.687208] libphy: ag71xx_mdio: probed
[    2.319859] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:00 [uid=004dd034, driver=Atheros AR8216/AR8236/AR8316]
[    2.331213] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII
[    2.608350] random: fast init done
[    2.959985] eth1: Atheros AG71xx at 0xba000000, irq 5, mode:SGMII
[    2.967940] NET: Registered protocol family 10
[    2.975880] NET: Registered protocol family 17
[    2.980474] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    2.993717] 8021q: 802.1Q VLAN Support v1.8
[    2.999358] hctosys: unable to open rtc device (rtc0)
[    3.010422] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    3.018586] Freeing unused kernel memory: 268K
[    3.023098] This architecture does not have kernel memory protection.
[    3.716372] init: Console is alive
[    3.720042] init: - watchdog -
[    4.768613] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    4.826778] usbcore: registered new interface driver usbfs
[    4.832465] usbcore: registered new interface driver hub
[    4.837923] usbcore: registered new device driver usb
[    4.847310] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    4.855215] ehci-platform: EHCI generic platform driver
[    4.860633] ehci-platform ehci-platform.0: EHCI Host Controller
[    4.866673] ehci-platform ehci-platform.0: new USB bus registered, assigned bus number 1
[    4.876954] ehci-platform ehci-platform.0: TX-TX IDP fix enabled
[    4.883089] ehci-platform ehci-platform.0: irq 48, io mem 0x1b000000
[    4.918386] ehci-platform ehci-platform.0: USB 2.0 started, EHCI 1.00
[    4.925643] hub 1-0:1.0: USB hub found
[    4.929762] hub 1-0:1.0: 1 port detected
[    4.934043] ehci-platform ehci-platform.1: EHCI Host Controller
[    4.940117] ehci-platform ehci-platform.1: new USB bus registered, assigned bus number 2
[    4.950398] ehci-platform ehci-platform.1: TX-TX IDP fix enabled
[    4.956508] ehci-platform ehci-platform.1: irq 49, io mem 0x1b400000
[    4.988377] ehci-platform ehci-platform.1: USB 2.0 started, EHCI 1.00
[    4.995634] hub 2-0:1.0: USB hub found
[    4.999742] hub 2-0:1.0: 1 port detected
[    5.004376] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    5.022088] init: - preinit -
[    6.151137] eth1: link up (1000Mbps/Full duplex)
[    6.174613] random: procd: uninitialized urandom read (4 bytes read)
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    9.399895] mount_root: jffs2 not ready yet, using temporary tmpfs overlay
[    9.427110] urandom-seed: Seed file not found (/etc/urandom.seed)
[    9.563697] eth1: link down
[    9.575783] procd: - early -
[    9.579345] procd: - watchdog -
[   10.185692] procd: - watchdog -
[   10.189139] procd: - ubus -
[   10.308559] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.343845] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.350696] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.357911] procd: - init -
Please press Enter to activate this console.
[   10.685680] kmodloader: loading kernel modules from /etc/modules.d/*
[   10.717297] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   10.732772] Loading modules backported from Linux version wt-2017-11-01-0-gfe248fc2c180
[   10.740929] Backport generated by backports.git v4.14-rc2-1-31-g86cf0e5d
[   10.750247] ip_tables: (C) 2000-2006 Netfilter Core Team
[   10.762627] nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
[   10.813315] xt_time: kernel timezone is -0000
[   10.983726] PPP generic driver version 2.4.2
[   10.990092] NET: Registered protocol family 24
[   11.012461] PCI: Enabling device 0000:01:00.0 (0000 -> 0002)
[   11.018392] ath10k_pci 0000:01:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0
[   11.291655] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:01:00.0.bin failed with error -2
[   11.302538] ath10k_pci 0000:01:00.0: Falling back to user helper
[   11.478266] firmware ath10k!pre-cal-pci-0000:01:00.0.bin: firmware_loading_store: map pages failed
[   11.487612] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/cal-pci-0000:01:00.0.bin failed with error -2
[   11.498135] ath10k_pci 0000:01:00.0: Falling back to user helper
[   11.693906] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/firmware-6.bin failed with error -2
[   11.704794] ath10k_pci 0000:01:00.0: Falling back to user helper
[   11.797987] firmware ath10k!QCA988X!hw2.0!firmware-6.bin: firmware_loading_store: map pages failed
[   11.811570] ath10k_pci 0000:01:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000
[   11.820960] ath10k_pci 0000:01:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 1
[   11.834005] ath10k_pci 0000:01:00.0: firmware ver 10.2.4-1.0-00037 api 5 features no-p2p,raw-mode,mfp,allows-mesh-bcast crc32 a4a52adb
[   11.928546] ath10k_pci 0000:01:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/board-2.bin failed with error -2
[   11.939164] ath10k_pci 0000:01:00.0: Falling back to user helper
[   12.013171] firmware ath10k!QCA988X!hw2.0!board-2.bin: firmware_loading_store: map pages failed
[   12.043757] ath10k_pci 0000:01:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08
[   13.155218] ath10k_pci 0000:01:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal file max-sta 128 raw 0 hwcrypto 1
[   13.362689] ieee80211 phy1: Atheros AR9550 Rev:0 mem=0xb8100000, irq=47
[   13.429860] kmodloader: done loading kernel modules from /etc/modules.d/*
[   14.702780] urandom_read: 5 callbacks suppressed
[   14.702787] random: jshn: uninitialized urandom read (4 bytes read)
[   27.319497] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[   27.326493] jffs2_build_filesystem(): unlocking the mtd device... [   27.381544] done.
[   27.383513] jffs2_build_filesystem(): erasing all blocks after the end marker... [   27.711445] eth1: link up (1000Mbps/Full duplex)
[   27.716209] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   27.770060] br-lan: port 1(eth1.1) entered blocking state
[   27.775547] br-lan: port 1(eth1.1) entered disabled state
[   27.781392] device eth1.1 entered promiscuous mode
[   27.786253] device eth1 entered promiscuous mode
[   27.890730] br-lan: port 1(eth1.1) entered blocking state
[   27.896213] br-lan: port 1(eth1.1) entered forwarding state
[   27.902017] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   27.972727] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   28.030987] IPv6: ADDRCONF(NETDEV_UP): eth0.2: link is not ready
[   28.778448] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[   28.785176] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   29.020876] eth0: link up (1000Mbps/Full duplex)
[   29.082898] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   29.124526] IPv6: ADDRCONF(NETDEV_CHANGE): eth0.2: link becomes ready
[   52.917865] done.
[   52.919871] jffs2: notice: (1346) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[  128.858387] random: crng init done


---8< ----------------------------------------------------------------------------

That's all! Through the OpenWRT console (192.168.1.1), you can update other firmware again.

Helpful links:
- https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500#tftp_recovery_de-bricking
- https://www.youtube.com/watch?v=Ng5chUjgkkE&feature=youtu.be 


Real Time Web Analytics