[SOLVED]Archer C7(RU) V5 install throught UART

Connected to router trought UART

tftp 0x86000000 openwrt-18.06.1-ar71xx-generic-archer-c7-v5-squashfs-factory.bin
erase 0x9f030000 +0x3cfede
cp.b 0x86000000 0x9f030000 0x3cfede

printenv

bootargs=console=ttyS0,115200 board=AP152 rootfstype=squashfs init=/etc/preinit mtdparts=spi0.0:128k(factory-uboot),192k(u-boot),64k(ART),1536k(uImage),14464k@0x1e0000(rootfs) mem=128M
bootcmd=bootm 0x9f0c0000
bootdelay=1
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
dir=
lu=tftp 0x80060000 ${dir}tuboot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}ap152${bc}-jffs2&&erase 0x9f010000 +$filesize&&cp.b $fileaddr 0x9f010000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f300000 +$filesize&&cp.b $fileaddr 0x9f300000 $filesize
stdin=serial
stdout=serial
stderr=serial
ethact=eth0
filesize=3cfede
fileaddr=86000000
ipaddr=192.168.0.2
serverip=192.168.0.10

Environment size: 735/65532 bytes

But it does not works.
May be I used wrong adress???
Help me please.

In bootlog:

[NM_Error](nm_api_checkInteger) 00384: extra-para:49 52
[NM_Error](nm_api_checkInteger) 00389: factory boot check integer flag is not 1

bootlog

You have stored the firmware at 9f03 but the script wants to boot it at 9f0c. One of those is wrong. If you manually run bootm 0x9f030000 do you get a proper boot?

bootm 0x9f030000
Bad Magic Number

Tried 3 different

First is Development Snapshot builds

tftp 0x86000000 openwrt-ar71xx-generic-archer-c7-v5-squashfs-factory-dev.bin
erase 0x9f0c0000 +3fcd77
cp.b 0x86000000 0x9f0c0000 3fcd77

tftp 0x86000000 openwrt-18.06.0-ar71xx-generic-archer-c7-v5-squashfs-factory.bin
erase 0x9f0c0000 +3cfb06
cp.b 0x86000000 0x9f0c0000 3cfb06

tftp 0x86000000 openwrt-18.06.1-ar71xx-generic-archer-c7-v5-squashfs-factory.bin
erase 0x9f0c0000 +3cfede
cp.b 0x86000000 0x9f0c0000 3cfede

After every flashing:

bootm 0x9f0c0000
Booting image at 9f0c0000 ...
Bad Magic Number

After reset in bootlog

[NM_Error](nm_api_checkInteger) 00384: extra-para:d4 f4
[NM_Error](nm_api_checkInteger) 00389: factory boot check integer flag is not 1.

Also I missed that when you're writing directly to flash you need the sysupgrade format, not the factory bin.

Factory has a header that the factory web interface firmware looks for (and removes before flashing). Sysupgrade is a direct image of the flash data.

Thank you for answer

Flashing

tftp 0x86000000 openwrt-18.06.1-ar71xx-generic-archer-c7-v5-squashfs-sysupgrade.bin
erase 0x9f0c0000 +4000b1
cp.b 0x86000000 0x9f0c0000 4000b1

After that:

bootm 0x9f0c0000

And system boots fine, everything works.

BUT!
After reset:

[NM_Error](nm_api_checkInteger) 00384: extra-para:49 52
[NM_Error](nm_api_checkInteger) 00389: factory boot check integer flag is not 1.

And halting

bootlog

P.S. The same situation with development snap shot

Would you be able to share pin out for Archer C7 v5 as I'm struggling with flashing as it doesn't detect my key presses.

That's because RX pin not connected to connector.

May be, better solution to connect RX to R24/R27, but I burned them. So I scratched the road and connect RX to it.

Many thanks. I nearly did the same thing as you.
To those wants to do this job using regular soldering iron - don't do this. I though a good soldering iron could do the job, but in reality thermofan needed.

How I did it.

This is what I had after I soldered pins

This is unsuccessful attempt to short R24

So I took a syringe with a sharp needle and a piece of arduino wire. Needle through the piece of wire. Syringe into needle and set sharp needle onto the right whole of R24. Syringe works as a weight and needle as a piece of wire connected to the road.

Sorry quality not the best but you should get the idea

After I managed to connect to RX, I'm in the same boat with Archer C7(US) V5. First time I tried to flash openwrt, then I tried stock firmware loaded from tplink.

john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7$ sha256sum *
418877474d8a9fb4e986c6e60ca07e86fc44c54c0a5e88153c49824173a3980c  Archer C7(US)_V5_180425.zip
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7$ cd Archer\ C7\(US\)_V5_180425/
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ sha256sum *
0932ee66e83f4c16d0e4a52484010e04458908f8952ea53fb13a675f7a1f96dd  c7v5_us-eu-ca-jp-tw-up-ver1-0-4-P1[20180425-rel72768].bin
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ ls -la
total 15656
drwxrwxr-x 2 john john     4096 May 16  2018  .
drwxrwxr-x 4 john john     4096 Jan 14 10:13  ..
-rw-rw-r-- 1 john john 15504354 Apr 25  2018 'c7v5_us-eu-ca-jp-tw-up-ver1-0-4-P1[20180425-rel72768].bin'

Then I renamed file to the proper name, deleted old one in tftp server and copied it there

john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ mv c7v5_us-eu-ca-jp-tw-up-ver1-0-4-P1\[20180425-rel72768\].bin 0200A8C0.img
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ ls -la
total 15656
drwxrwxr-x 2 john john     4096 Jan 14 10:16  .
drwxrwxr-x 4 john john     4096 Jan 14 10:13  ..
-rw-rw-r-- 1 john john 15504354 Apr 25  2018  0200A8C0.img
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ ls /var/tftpboot
0200A8C0.img  ArcherC7v5_tp_recovery.bin  a.txt  tp_recovery.bin  wdr4300v1_tp_recovery.bin
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ rm /var/tftpboot/0200A8C0.img 
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ cp 0200A8C0.img /var/tftpboot/0200A8C0.img 
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ ls /var/tftpboot
0200A8C0.img  ArcherC7v5_tp_recovery.bin  a.txt  tp_recovery.bin  wdr4300v1_tp_recovery.bin
john@laptop:~/Downloads/TP-linkConfigBackup2019-01-12/ArcherC7/Archer C7(US)_V5_180425$ 

Then I did this

U-Boot 1.1.4 (Mar  8 2018 - 16:34:18)

ap152 - Dragonfly 1.0

DRAM:  128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 413k for U-Boot at: 87f98000
Reserving 16448k for malloc() at: 86f88000
Reserving 44 Bytes for Board Info at: 86f87fd4
Reserving 36 Bytes for Global Data at: 86f87fb0
Reserving 128k for boot params() at: 86f67fb0
Stack Pointer at: 86f67f98
Now running in RAM - U-Boot at: 87f98000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
Fetching MAC Address from 0x87fbafdc
ath_gmac_enet_initialize: reset mask:c02200
athr_mgmt_init ::done
Dragonfly  ----> S17 PHY *
athrs17_reg_init: complete
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:00:29:ad:00:00
eth0 up
eth0
Setting 0x181162c0 to 0x41822100
[NM_Error](nm_api_checkInteger) 00384: extra-para:74 3c


[NM_Error](nm_api_checkInteger) 00389: factory boot check integer flag is not 1.

Hit any key to stop autoboot:  0
ath> tftpboot
Trying eth0
dup 1 speed 1000
*** Warning: no boot file name; using '0200A8C0.img'
Using eth0 device
TFTP from server 192.168.0.10; our IP address is 192.168.0.2
Filename '0200A8C0.img'.
Load address: 0x81000000
Loading: #################################################################
         #################################################################
removed many similar lines
         #################################################################
         #######################################
done
Bytes transferred = 15504354 (ec93e2 hex)
ath> erase 0x9f020000 +ec93e2
Erasing flash...
First 0x2 last 0xee sector size 0x10000                                      238
Erased 237 sectors
ath> cp.b 0x81000000 0x9f020000 0xec93e2
Copy to Flash... write addr: 9f020000
done
ath> reset

U-Boot 1.1.4 (Mar  8 2018 - 16:34:18)

ap152 - Dragonfly 1.0

DRAM:  128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 413k for U-Boot at: 87f98000
Reserving 16448k for malloc() at: 86f88000
Reserving 44 Bytes for Board Info at: 86f87fd4
Reserving 36 Bytes for Global Data at: 86f87fb0
Reserving 128k for boot params() at: 86f67fb0
Stack Pointer at: 86f67f98
Now running in RAM - U-Boot at: 87f98000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
Fetching MAC Address from 0x87fbafdc
ath_gmac_enet_initialize: reset mask:c02200
athr_mgmt_init ::done
Dragonfly  ----> S17 PHY *
athrs17_reg_init: complete
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:00:29:ad:00:00
eth0 up
eth0
Setting 0x181162c0 to 0x41822100
[NM_Error](nm_api_checkInteger) 00384: extra-para:a6 3b


[NM_Error](nm_api_checkInteger) 00389: factory boot check integer flag is not 1.

Hit any key to stop autoboot:  0
Trying eth0
eth0 link down
FAIL
Trying eth0
dup 1 speed 1000
HTTP server is starting at IP: 192.168.0.1
HTTP server is ready!

Here're Build for TP-Link Archer C1200-AC1200 the similar problem described and the potential solution to dump stock. So, we need an owner of the stock firmware who can help us and himself for the future. I think we need put somewhere(most likely here https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500#recovery_using_serial_connection) an note for owners of Archer C7 v5 something like:

BEWARE You may brick your device as others did, help us and yourself !!!

Please contact ... for the instructions how to get stock firmware before you start.

Update. I moved a step closer but this is not the solution as I still have not fixed it.

Below the steps. But I think the reason why I can't fix is that the web interface seems expects a Firmware Recovery file while I'm giving just firmware. I think this just because I see the message in the logs
Firmware Recovery file length : 3997406

The steps:
Once I got a message HTTP server is ready!

Setting 0x181162c0 to 0x41822100

[NM_Error](nm_api_checkInteger) 00384: extra-para:a6 3b

[NM_Error](nm_api_checkInteger) 00389: factory boot check integer flag is not 1.

Hit any key to stop autoboot: 0

Trying eth0

eth0 link down

FAIL

Trying eth0

dup 1 speed 1000

HTTP server is starting at IP: 192.168.0.1

HTTP server is ready!

I opened http://192.168.0.1/ and received router page saying an error happened

I selected same file from tftp server It rebooted and yes! It looks promising!

I specified the password and after reboot when I enter password, it detects that password is correct and then redirects me to a internal page like I logged in then it redirects me back to login page. When I tried to enter incorrect password it clearly showed popup that password incorrect.

I decided to try to flash openwrt from web interface and it did not work as it stops at Starting application at 0x80010000. here's the logs

[NM_Error](nm_api_checkInteger) 00389: factory boot check integer flag is not 1.

Hit any key to stop autoboot: 0

Trying eth0

eth0 link down

FAIL

Trying eth0

dup 1 speed 1000

HTTP server is starting at IP: 192.168.0.1

HTTP server is ready!

Request for: /

Request for: /

Data will be downloaded at 0x80060000 in RAM

Upgrade type: firmware

Upload file size: 3997406 bytes

Loading: #######################################

#######################################

#######################################

###################################

Firmware Recovery file length : 3997406

Firmware process common.

Image verify OK!

Firmware file Verify ok!

product-info:product_name:Archer C7

product_ver:5.0.0

special_id:55530000

[Error]sysmgr_cfg_checkSupportList(): 1023 @ specialId 00000000 NOT Match.

Firmware supports, check OK.

Firmware Recovery check ok!

upgrade_filecheck ok

HTTP upload is done! Upgrading...

do http upgrade

Firmware Recovery file length : 3997406

Firmware process common.

Image verify OK!

Firmware file Verify ok!

product-info:product_name:Archer C7

product_ver:5.0.0

special_id:55530000

[Error]sysmgr_cfg_checkSupportList(): 1023 @ specialId 00000000 NOT Match.

Firmware supports, check OK.

Firmware Recovery check ok!

set integer flag to 0.

##################################################################

Done.

set integer flag to 1.

Firmware Recovery Success!

HTTP ugrade is done! Rebooting...

▒

U-Boot 1.1.4 (Mar 8 2018 - 16:34:18)

ap152 - Dragonfly 1.0

DRAM: 128 MB

Top of RAM usable for U-Boot at: 88000000

Reserving 413k for U-Boot at: 87f98000

Reserving 16448k for malloc() at: 86f88000

Reserving 44 Bytes for Board Info at: 86f87fd4

Reserving 36 Bytes for Global Data at: 86f87fb0

Reserving 128k for boot params() at: 86f67fb0

Stack Pointer at: 86f67f98

Now running in RAM - U-Boot at: 87f98000

Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18

flash size 16MB, sector count = 256

Flash: 16 MB

Using default environment

In: serial

Out: serial

Err: serial

Net: ath_gmac_enet_initialize...

Fetching MAC Address from 0x87fbafdc

ath_gmac_enet_initialize: reset mask:c02200

athr_mgmt_init ::done

Dragonfly ----> S17 PHY *

athrs17_reg_init: complete

SGMII in forced mode

athr_gmac_sgmii_setup SGMII done

: cfg1 0x80000000 cfg2 0x7114

eth0: 00:00:29:ac:00:00

eth0 up

eth0

Setting 0x181162c0 to 0x4b962100

[NM_Error](nm_api_checkInteger) 00384: extra-para:01 01

[393]factory boot check integer ok.

factory boot load fs uboot len 33 to addr 0x80010000.

Hit any key to stop autoboot: 0

## Starting application at 0x80010000 ...

Update 2.

Did an attempt to flash a latest tplink firmware https://static.tp-link.com/2018/201805/20180518/Archer%20C7(US)_V5_180425.zip
after update and reload entered a password and same problem it asks again for a password, but this time I pressed some keys in the Putty and I got a to a terminal as a root.

BusyBox v1.19.4 (2017-12-14 11:10:02 HKT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

     MM           NM                    MMMMMMM          M       M
   $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
  MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
  MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
    MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
     MMMM          M                    MMMMMMM        M       M
       M
 ---------------------------------------------------------------
   For those about to rock... (%C, %R)
 ---------------------------------------------------------------
root@ArcherC7v5:/#

Found interesting files

root@ArcherC7v5:/etc# cat openwrt_version
%V
root@ArcherC7v5:/etc# cat openwrt_release
DISTRIB_ID="%D"
DISTRIB_RELEASE="%C"
DISTRIB_REVISION="%R"
DISTRIB_CODENAME="%n"
DISTRIB_TARGET="%S"
DISTRIB_DESCRIPTION="%D %N %V"
root@ArcherC7v5:/etc#
root@ArcherC7v5:/etc#

This solution works for me

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.