Archer C60 V2 Softbricked

Installing and Using OpenWrt
1

Hi, I've bricked a TP-Link Archer C60 V2 and I couldn't bring it back alive even trying to flash it with tftp over Serial. If I let it boot, it loads the recovery HTTP page, in which I can upload a new firmware, but this doesn't succeed also, saying that "This firmware is not for this device", on both BR and EU stock firmwares (OpenWRT it doesn't like also, says that the file is invalid).

I initially read on this topic that I can flash it with OpenWRT specifying some adresses (0x......), but there are some variables that I don't know.

In:

tftp 0x80060000 openwrt-18.06.0-ar71xx-generic-archer-c60-v2-squashfs-sysupgrade.bin
erase 0x9f030000 +$filesize
cp.b $fileaddr 0x9f030000 $filesize
run bootcmd

which addresses are $filesize and $fileaddr ? I already tried replacing $filesize with the size in bytes of the firmware ( 0x{firmware size bytes in HEX} ) and $fileaddr with 0x80060000, but when I do run bootcmd and watch the Serial, it loads uboot, says "Starting application at 0x...." and then hangs there. If I restart it physically, some errors appear such as "partition name not found" and then proceeds to start the TP-Link recovery HTTP server, which is also useless.

Any advice is greatly appreciated.

2

Bump. Anyone?

1 Like
3

The full output of the U-Boot help and environment as well as a reference to the flash layout of the device would be helpful. Also echo of those variables, if not listed in printenv

1 Like
4

Thanks for the reply jeff.
As soon as I get home I'll log the serial and post it here, but let me ask you one more question first:
Which commands should I perform in order to get the flash layout and variables?

1 Like
5

For most U-Boot implementations

help
printenv

For the flash layout, a link to the section of the device page that describes it is probably enough

1 Like
6

Arrived at home and as promised, hooked that thing up to my serial converter.



U-Boot 1.1.4 (Dec  6 2016 - 19:05:34)

ap151 - Dragonfly 1.0

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 402k for U-Boot at: 83f98000
Reserving 32832k for malloc() at: 81f88000
Reserving 44 Bytes for Board Info at: 81f87fd4
Reserving 36 Bytes for Global Data at: 81f87fb0
Reserving 128k for boot params() at: 81f67fb0
Stack Pointer at: 81f67f98
Now running in RAM - U-Boot at: 83f98000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Dragonfly----> S27 PHY *
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :50
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :50
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :50
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :50
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x82
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
[NM_Error](nm_api_readPtnFromNvram) 00137: partition name not found.

[NM_Error](nm_api_checkInteger) 00369: factory boot check integer read flag part                                                                                                                                                             ition fail.
Autobooting in 1 seconds
ath> help
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase FLASH memory
fwrecov - TP-Link Firmware Recovery Tools
go      - start application at address 'addr'
help    - print online help
httpd   - start www server for firmware recovery
mct   - simple RAM test
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
ath> printenv
bootargs=console=ttyS0,115200 board=AP151 rootfstype=squashfs init=/etc/preinit mtdparts=spi0.0:128k(factory-boot),64k(u-boot),1024k(uImage),6822k(rootfs),64k@0x7f0000(ART) mem=64M
bootcmd=go 0x80010000
bootdelay=1
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.0.1
serverip=192.168.0.10
dir=
lu=tftp 0x80060000 ${dir}tuboot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}ap151${bc}-jffs2&&erase 0x9f010000 +$filesize&&cp.b $fileaddr 0x9f010000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f300000 +$filesize&&cp.b $fileaddr 0x9f300000 $filesize
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 694/65532 bytes
ath>

When I try to run bootcmd, this happens:

ath> run bootcmd
## Starting application at 0x80010000 ...


U-Boot 1.1.4 (Dec  6 2016 - 19:05:34)

ap151 - Dragonfly 1.0

DRAM:   0 kB
Top of RAM usable for U-Boot at: 80000000
Reserving 402k for U-Boot at: 7ff98000
Reserving 32832k for malloc() at: 7df88000
Reserving 44 Bytes for Board Info at: 7df87fd4
Reserving 36 Bytes for Global Data at: 7df87fb0
Reserving 128k for boot params() at: 7df67fb0
Stack Pointer at: 7df67f98

-- HANGS HERE --

The OpenWRT page for the router is here: https://openwrt.org/toh/tp-link/tp-link_archer_c60_v2

Any help would be greatly appreciated :slight_smile:

1 Like
7

Your bootcmd is trying to boot from RAM, that will not work after power on since the only code in RAM is the running copy of the bootloader and a lot of empty space. The OS is stored in flash at addresses that start with 9F.

Try manually running
bootm 0x9f030000
That is the normal process to read the kernel from flash, uncompress it to RAM, and then jump ("go") into RAM to boot it. bootcmd should be set to some sort of bootm command.

When you tftp a file in it will tell you the number of bytes transferred, that is the filesize. The fileaddr is the location in RAM you specified in the tftp command, or 0x80060000 in this case.

It is very important to get the numbers right when manually erasing and copying to flash, so you don't damage the data in the bootloader or ART partitions.

1 Like
8

Wow, it booted straight up! So that's a good sign, I guess.

But one thing I didn't understand. You said:

This is exactly what I've done and these are correct, but why didn't it boot then?

What must I do in order to get it booting from "0x9f030000" (I suppose) everytime?

Thank you :smiley:

1 Like
9 
setenv bootcmd bootm 0x9f030000
saveenv
10

Great! Unfortunately the last command failed:

ath> setenv bootcmd bootm 0x9f030000
ath> saveenv
Unknown command 'saveenv' - try 'help'
ath> help
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase FLASH memory
fwrecov - TP-Link Firmware Recovery Tools
go      - start application at address 'addr'
help    - print online help
httpd   - start www server for firmware recovery
mct   - simple RAM test
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
ath>

But can you explain me why I need to overwrite that variable? Like, that env wasn't there before, or was it?

Thank you

EDIT: Without "saving" the env, upon restarting it physically, it goes into the HTTP recovery mode again, it doesn't retain it...

11

Many factory bootloader builds hard-code the environment and don't have a saveenv command. Thus it is strange that it would be wrong. I'm not sure where to go from here.

12

I would suggest to try push-button tftp recovery and flashing an OEM firmware again, make sure to flash an OEM firmware with included bootloader to get a known-good (well, at least according to the vendor) on your flash - before you can flash OpenWrt again.

1 Like
13

This router doesn't seem to support that mode, only seen that on some older models.

However, I've trimmed the original firmware and flashed it with this way. Unfortunately, it didn't boot also and goes straight into the recovery HTTP server.

Well, I flashed it back with the above addresses, now I've found these also here. Don't know how I've missed them:

Note: Replace $filesize below with value in hex reported after tftp command completes below. Uboot should replace the variable automatically, but it didn't seem to.

Ath> tftp 0x81000000 openwrt-18.06.1-ar71xx-generic-archer-c60-v2-squashfs-sysupgrade.bin
Ath> erase 0x9f030000 +$filesize
Ath> cp.b 0x81000000 0x9f030000 $filesize
Ath> reset

Now I'm as far as before. It boots when I specify the "bootm" address, but it doesn't save it and therefore it doesn't boot anymore when I reboot.

Has anyone a clue what I could do about it?

EDIT: I have another C60 V2 running OpenWRT in active use, maybe I could take a "byte backup" from there and restore it via tftp on this one? Is this possible? I was thinking about that if everything else fails (and later share that .img here). But shouldn't TP-Links stock firmware provide the boot part also, and if yes, where is it? I'm a little bit lost and pretty much a noob when it comes to low-level things...

14

Anyone? :confused:

15

Could this possibly contain something useful

16

Thanks for your help mhegab,

when I type in fwrecov, it literally echoes me back the same thing, like:

ath> fwrecov
fwrecov     TP-Link Firmware Recovery Tools

I think it's expecting a parameter or something, but it tells me nothing.

I already tried all of those commands before, most of them just echo back. Others like "md" shows me a little bit of memory of a particular address, but that's mostly it.

17

Why not use the Web Interface recovery tool

Give your PC a static IP

192.168.0.10

Then browse to
http://192.168.0.1/

Refer to this

1 Like
18

I already tried that. In fact, this was the first thing I did try and it didn't work on both EU and BR stock firmwares (neither on any OpenWRT).
It begins uploading and then says: "This firmware is not for this device", no matter which file I upload. Meanwhile in the Serial console I see: "Archer C60 NOT match!" two times and that's it.

I already tried renaming the files: ArcherC60v2_tp_recovery.bin, ArcherC60_tp_recovery.bin or even tp_recovery.bin to no avail.

19

Then use the original firmware from the manufacturer to at least un-brick your device

20

But I have.

EN: https://www.tp-link.com/en/download/Archer-C60_V2.html#Firmware
BR: https://www.tp-link.com/br/download/Archer-C60_V2.html#Firmware

Those all failed. The device is from Paraguay, if that matters, so technically it's not BR or EN. And I also couldn't find any TP-Link page from that location, so it's probably one of these, but none worked.