Archer A5 v4 bricked (Solved)

Hi, I have also a problem with my TP-Link Archer A5 V4 (which is the same router as Archer C50 V4) But I know the problem with mine. My eeprom is broken. I desolderd it and checked the content of it with a raspberry pi. It reads about 1.5 MB of zero's and then I get data. When I try to flash a new image, it fails on it since it can't write the first part of the chip. I have a new chip. That is no issue, but I don't know how to create a working image for it. Is there anyone who has a full dump of the router? Then I can create a working image. Basicly I have everything above 07c0000.

0x0000007c0000-0x0000007d0000 : "config"
0x0000007d0000-0x0000007e0000 : "romfile"
0x0000007e0000-0x0000007f0000 : "ispconfig"
0x0000007f0000-0x000000800000 : "radio"

For the ones who has no serial connection, no tftp, no leds, I think it also is missing parts in the boot process. Only thing to do in that case. desolder the eeprom, read out the chip. check wheter you got the routers config stuff (everything above 07c0000), Create a new full image, and flash the chip again.
When mine is working I will create a document howto to do that.

1 Like

Hi all,

Oke... I got a working C50V4 which runs OpenWrt 19.07-SNAPSHOT r10269-5100629e32 / LuCI openwrt-19.07 branch (git-19.190.55584-ab90938) from a friend.
I know it should work with the A5 V4 because the firmware of TP-Link I downloaded for the A5 V4 is called: Archer_C50v4_EU_0.9.1_0.2_up_boot[190125-rel63783].bin. So, I'm 95% certain it should work.
First we cleaned it and checked it was working as espected.
We opened the router and desoldered the eeprom and connected it to the raspberry pi.

Pin # winbond 25q64 Raspberry Pi
1 CS 24
2 MISO 21
3 /wp pull up resistor (2k)
4 GND 25
5 MOSI 19
6 CLK 23
7 /wp pull up resistor (2k)
8 3.3V 1

The rpi must have enabled spi (in /boot/config.txt dtparam=spi=on)

With the next command I dumped the eeprom:
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -r WORKING.bin

This I already did with my own router. I called the file ORIGINAL.bin

Mine was corrupt for the first part, but I could still use the router specific data such as radio and stuff.
That part starts from 007c0000 (which is 8126464 bytes) so we want to etract that and replace it in the new eeprom.
Since I don't know how and if the command flashrom can write parts of the eeprom I created just a new dump:

dd if=ORIGINAL.bin of=ROUTERSPECIFIC.bin bs=8126464 skip=1
dd if=WORKING.bin of=OPENWRTC50V4.bin bs=8126464 count=1
cp OPENWRTC50V4.bin NEWFLASH.bin
cat ROUTERSPECIFIC.bin >> NEWFLASH.bin

To check at least the size do "ls -l NEWFLASH.bin" it should be exactly 8388608 bytes
Then I took a new eeprom and flased the file to it.

flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -w NEWFLASH.bin

I solderd it back in my router, (and also the donor router) And geasss...... IT WORKED!!!!!

Both routers are now running: OpenWrt 19.07-SNAPSHOT r10269-5100629e32 / LuCI openwrt-19.07 branch (git-19.190.55584-ab90938)

note that mine is a TP-Link A5 V4 and the one from my friend is a TP-Link C50 V4. So at least the OS part is exactly the same. If the radio stuff differs, I don't know.
I will make a nice tutorial later. But for today I'm done reading and thinking.

regards Marc

5 Likes

Flash data is easily extracted by OpenWrt running on a NOR flash router. No need to remove the chip.

Use cat /proc/mtd and/or read the boot log to find the names and locations of the flash partitions. In general each area of flash has its own partition and there is also a partition named "firmware" which is an alias that overlays the kernel, rootfs, and rootfs-data.

The flash maps to "mtd" psuedo-files in /dev. For example /dev/mtd0 is almost always the bootloader. These files can't be copied directly but you can read them into a real file with cat or dd:
cat /dev/mtd0 > /tmp/bootloader.bin
or
dd if=/dev/mtd0 of=/tmp/bootloader.bin
Be sure to save your images in the RAM disk /tmp because there isn't space for them in the flash. Then scp them to a PC.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.