Adding support for TP-Link RE190 v4 (AC750 2.4/5GHz Wi-Fi Range Extender)

Hello OpenWrt Community!

How would we go with adding the support for TP-Link RE190 v4?
It is physically identical to the RE200 & RE220 which are obviously supported.
It seems as if all those different models (which have identical physical appearance) are simply re-bundled packages of the same underlying device with the same hardware (notice how RE190 follows hardware versioning identical to RE200).
To remind everyone, RE200 v4 & RE220 (v2) are based on MediaTek MT7628AN SoC...
We can only guess (without prying it open) it has the same hardware...
If the guess is true, what are the steps for rebuilding the firmware?
I naively tried flashing the RE200 v4 OpenWrt firmware (unmodified & with "RE200" -> "RE190" strings replaced) and nothing happened at all, didn't brick it nor did it reboot to OpenWrt...

Any help is appreciated!

Thanks!

How?
You probably need to use tftp and/or serial.
Still not a great idea, if you don't have serial console access.

So, when using the unmodified RE200 v4 OpenWrt 21.02.3 factory image, the upload was stuck at 0% (through TP-Link system upgrade section)... When using the naively-modified image (string replace), the upload gradually went from 0% to 100%, and it "Rebooting" modal popped up, after some time, literally nothing happened... It wasn't bricked and it definetely didn't flash OpenWrt successfully...

Anyhow, that approach was dead-naive, so I didn't expect it to work whatsoever...
We would obviously need to rebuild the firmware for that device, even though it is most probably based on the same SoC and has the same hw specs...

So, I read through RE200 thread in detail...
If I'm not wrong, the right steps would be as follows:

• open the device to identify its SoC
• attach to serial / UART pins to capture boot log
• prepare OpenWrt build environment
• if the hardware is very similar & compatible to RE200, simply rebuild the OpenWrt image using mktplinkfw

that's pretty much spot on.

you can skip the opening for now, and see if you can find the device on fccid.io
if it's there, and the SoC isn't supported, you won't have to open it.

This device is literally a ghost.
I cannot seem to find FCC ID anywhere on the box, nor on the device...
Even after performing few fuzzy searches on the fccid.io,
I still haven't found anything...
Keep in mind that its FCC ID should follow the strict TP-Link pattern of all the other devices in the same series...
Also, if you try to search any dev wiki website (wikidevi / deviwiki / techinfodepot), there are no matches...
Is it possible that the reason for its non-existence in the tech sheets is due to it simply being a re-bundled RE200 v4 (and, therefore, using its board and hardware etc)?

AFAIK fccid isn't the official FCC site, if the device's brand new, perhaps there's a gap between it being registered at FCC, and popping up at fccid.

you could always reach out to TP-Link, and ask them about the FCC id.

or it's a grey import.

Keep in mind that the latest RE200 (v5) cannot be supported due to the small amount of flash (4MB).

You could try to find a firmware upgrade file and check with binwalk if it's Linux-based or not. The RE200v5 is VxWorks-based which is a strong indicator for low flash/RAM.

No, the device is definitely running a Linux-based OS...
Notice the very similar hardware versioning to RE200...
Also, this is a binwalk output for the latest RE190 v4 stock firmware (v1.0.3):

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
88020         0x157D4         U-Boot version string, "U-Boot 1.1.3 (Oct 30 2020 - 10:10:17)"
106957        0x1A1CD         TP-Link firmware header, firmware version: 0.0.0, image version: "", product ID: 0x0, product version: 0, kernel load address: 0x0, kernel entry point: 0x80, kernel offset: 0, kernel length: 512, rootfs offset: 875472, rootfs length: 0, bootloader offset: 0, bootloader length: 0
107469        0x1A3CD         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2526892 bytes
982942        0xEFF9E         Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6970316 bytes, 1068 inodes, blocksize: 262144 bytes, created: 2020-10-30 02:31:36

Thank you all for engaging in this post so far! Let's try to keep this thread alive for as long as possible...

That would mostly be on you, since you're the person with the unit in his/her lap ...

True! However, I would definitely use some help from other more experienced members of the community. Especially, help on how to re-pack an existing OpenWrt firmware for a different device model (with same hardware specs & SoC etc).
I can dump U-Boot logs and take pictures of the device board and everything else which might be of help...

Then I assume you've already got an USB TTL serial device .... ?
Pics always help, even if the serial port's easy to identify.

I have the tools, but I haven't yet opened this device and attached to its serial port...

Alright, I look at it like this, we have 2 viable approaches to analyzing this device's compatiblity:

1. Top-down - Static analysis
   • Analyze the stock firmware and compare it to a compatible device's (e.g. RE200 v4) stock firmware file
2. Bottom-up - Dynamic analysis
   • Open the device, attach to serial ports and tinker around
   • Get a shell access

1 will not get you all the way.

sure, you will be able to figure out what SoC it's using, but as soon you attempt to flash openwrt (custom made, or RE2*), you'll want to have that serial port up and running.

For the approach #1, here are some updates:

These are all the available stock firmware files for RE190 v4 & RE200 v5 combined:

re190v4_eu-up-ver1-0-1-P1[20190924-rel48678].bin
re190v4_eu-up-ver1-0-3-P1[20201030-rel37896].bin
re200v4_eu-up-ver1-0-6-P1[20200708-rel47302].bin
re200v4_ver1-0-8-P1[20210916-rel59255].bin

Notice the similarities (consecutiveness) in the firmware versions... As if the RE190 is a "predecessor" to RE200.

Next, let's selectively look at some of the extracted rootfs directories side by side.
First, both of them are obviously based on OpenWrt. There are signs everywhere... Init scripts structure, config dir structure, luci references, you name it...
But let's ignore that for now...

What we are looking for are pre-installed kernel modules.
Both of the firmwares (RE190 v4 & RE200 v4) are based on Kernel v2.6.36.x and contain these modules:

MT7610_ap.ko
bridge_netlink.ko
mt_wifi.ko
raeth.ko
ralink_spi_flash_ioctl.ko
rt_rdm.ko

Also, both of them contain an identical file /etc_ro/Wireless/RT2860/RT2860.dat and these are some of the interesting lines:

Line 6:

SSID1=RE305_2G

Lines 282-284:

WscManufacturer=TP-LINK TECHNOLOGIES CO., LTD.
WscModelName=RE305
WscDeviceName=RE305

Conclusion? These 2 devices are obviously very similar, even without getting our hands on the RE190 v4's hardware internals...
String references in the firmware's rootfs point both devices' firmware to another identically* specced device

My humble opinion is that there is not too much reverse engineering to be done in this case.
This device is a typical case of "one of those rebranded devices whose hardware is already supported".
Unfortunately, I'm not an experienced OpenWrt dev / porter, so I cannot easily create a firmware for this device, without doing some heavy research (I did create custom images before and also played with cross-compiling with OpenWrt SDK for few different targets) .
But I truly believe this would be a trivial task for any experienced OpenWrt firmware creator...

These are all the devices (ctrl+f "tplink_re") which are based on the same hardware and have their firmwares already developed for them.

So, me, or any other member, would have to go through basic instructions, and apply minimal modifications, as well as bundle (assemble headers etc) the firmware properly for TP-Link (using mktplinkfw or otherwise)...

@tmomas @exaghost I'm pinging you guys, since you were, among others, responsible for porting OpenWrt to RE200, RE220 & RE305...
Thank you and sorry to spam you if you are not interested in contributing in this particular case!

I was in no way responsible for porting any of the listed devices to OpenWrt.

Okay, sorry, my bad…
I saw those 2 usernames as authors / last editors of the wiki entries for the mentioned devices.

Cheers!