Archer C7 V2 TFTP flash failing

wifi_wisperer · July 9, 2018, 1:17am

I have 2 Archer C7's I'm trying to flash via tftp to return them to factory image. They formerly had OpenWRT on them, configured in AP mode to get an IP via DHCP, so I just defaulted to TFTP flash to quickly get access to re-configure them. I see them receive the image through tcpdump, however, the LAN-side interface never comes back up after receiving the factory image. I've tried every US version of the official tp-link firmware, also the most recent stable openwrt factory image.

The serial numbers start with 2151 and 2159, according to this post is a Jan 2015 and Sep 2015 manufacture date. Not sure that it matters, but one looks for 192.168.1.66 and the other 192.168.0.66 for a tftp image (IIRC, thats due to the bootloader version).

Anyone else have these issues or any other suggestions for getting any workable image on them? I don't care to solder; at that point I'll call them a lost cause.

jeff · July 9, 2018, 1:33am

What IP address are you checking after the flash?

As I recall, it comes up on 192.168.0.1 admin/admin

(Or let it give you an IP address and use its DNS for http://tplinklogin.net/ at least according to the sticker on the bottom of the one on my desk.)

wifi_wisperer · July 9, 2018, 1:39am

Thanks for responding, jeff. I'm switching to 192.168.0.x network and pinging for 192.168.0.1. The interface on the archer c7's doesn't come back up - all I see on tcpdump is ARP requests and network advertisements from my own network interface. The LEDs on the front flash, except for the power, star, and the wireless 5G icon (looks like a boot loop to me).

jeff · July 9, 2018, 2:23am

OK, from my notes, which may or may not be correct

quoted text is something I found elsewhere

Rename the stock firmware file archerC7v2_tp_recovery.bin

For firmware revisions before 3.14.1 (140929), the router looks for an IP address of 192.168.1.66 and a file named ArcherC7v2_tp_recovery.bin. Firmware 3.14.1 updates the bootloader to look for an IP address of 192.168.0.66 and a file named ArcherC7v3_tp_recovery.bin even on hardware v2 units, but may also load ArcherC7v2_tp_recovery.bin. Some v1.1 units may also look for ArcherC7v1_tp_recovery.bin. The model Archer C5 looks for the file ArcherC5v1_tp_recovery.bin.

$ ls -l /private/tftpboot/
total 59820
lrwxr-xr-x  1 root  wheel        61 Feb 21 09:39 ArcherC7v2_tp_recovery.bin -> lede-17.01.4-ar71xx-generic-archer-c7-v2-squashfs-factory.bin
-rw-r--r--@ 1 root  wheel  16252928 Oct 18  2017 lede-17.01.4-ar71xx-generic-archer-c7-v2-squashfs-factory-us.bin
-rw-r--r--@ 1 root  wheel  16252928 Oct 18  2017 lede-17.01.4-ar71xx-generic-archer-c7-v2-squashfs-factory.bin

These are my notes below. I'm not too sure about "hold reset until TFTP completes", but might have to hold it until at least it starts. Pretty clearly I thought it important at the time!

Via Serial Console

192.168.0.66 on Mac or is it 192.168.1.66 ??

sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist

HOLD RESET UNTIL TFTP COMPLETES

$ plink -serial $ESPPORT -sercfg 115200

U-Boot 1.1.4 (Apr 24 2015 - 13:53:04)

ap135 - Scorpion 1.0DRAM:  
sri
Scorpion 1.0
ath_ddr_initial_config(178): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1e)
Tap values = (0x10, 0x10, 0x10, 0x10)
128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

*** Warning *** : PCIe WLAN Module not found !!!
In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200 
Scorpion  ----> S17 PHY *
Vlan config...
TEST: FINAL REG VAL after TX Calibration - 0x46000000
TEST: FINAL XMII VAL after RX Calibration - 0x56000000
TEST: FINAL ETH_CFG VAL after RX Calibration - 0x00014001
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7335
eth0: ba:be:fa:ce:08:41
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
eth1 up
eth0, eth1
Setting 0x18116290 to 0x50a1214f
Autobooting in 1 seconds
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... ERROR: LzmaDecode.c, 543

Decoding error = 1
LZMA ERROR 1 - must RESET board to recover

U-Boot 1.1.4 (Apr 24 2015 - 13:53:04)

ap135 - Scorpion 1.0DRAM:  
sri
Scorpion 1.0
ath_ddr_initial_config(178): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1d)
Tap values = (0x10, 0x10, 0x10, 0x10)
128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

*** Warning *** : PCIe WLAN Module not found !!!
In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200 
Scorpion  ----> S17 PHY *
Vlan config...
TEST: FINAL REG VAL after TX Calibration - 0x46000000
TEST: FINAL XMII VAL after RX Calibration - 0x56000000
TEST: FINAL ETH_CFG VAL after RX Calibration - 0x00028001
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7335
eth0: ba:be:fa:ce:08:41
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
eth1 up
eth0, eth1
Setting 0x18116290 to 0x50a1214f
dup 1 speed 1000
Using eth1 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Filename 'ArcherC7v2_tp_recovery.bin'.
Load address: 0x80060000
Loading: #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #######################################################
done
Bytes transferred = 16252928 (f80000 hex)
original_product_id = c7000002
 original_product_ver = 01
 recovery_product_id = c7000002
 recovery_product_ver = 01
 auto update firmware: product id verify sucess!
Firmware recovery: product id verify sucess!
Firmware recovery: FLASH_SIZE = 16 filesize = 0xf80000.
Erasing flash...

wifi_wisperer · July 15, 2018, 11:32pm

Thanks for responding and confirming I'm doing things correct. Seems like randomly another took the firmware and booted - its somehow related to the timing of holding the reset button?

These seem very inconsistent - the tcpdump looked the same as the other failed times.

juppin · July 17, 2018, 9:52am

original_product_id = c7000002
 original_product_ver = 01
 recovery_product_id = c7000002
 recovery_product_ver = 01
 auto update firmware: product id verify sucess!
Firmware recovery: product id verify sucess!

I think this step fails on your device... Probably your flashed image does not match the current one in your flash.
Solder a serial header and check the tftp update process really flashes anything.

Why not simply use the failsave mode of openwrt and flash your stock image (should not contain bootloader) with sysupgrade -F?

wifi_wisperer · July 18, 2018, 4:01am

Thanks for the tip on failsafe mode - I've use lede/openwrt quite a bit, but didn't realize we had this - super useful for the future!

wifi_wisperer · July 18, 2018, 4:42am

@juppin - I think you are correct, I'm only able to get the device to take a close image match of whatever was flashed before onto the device (typically openwrt/lede).

I'm stuck on one last device that probably had an old lede/openwrt. I've tried as many builds as I can find - is there anyway to tell when that product id changes in the images (or change them myself ;)? I can get my soldering kit out, but I'll need some hardware to read it, then try to find an image with that pid, unless those can be changed in a build script.

juppin · July 18, 2018, 5:26am

Yes.

If you could boot up your device in failsave mode, simply flash 18.06, 17.01.05 or a snapshot and your tp link header should be ok to use tftp recovery again.

If this does not work, you will need serial and check for the values that do not match...

There are two options:

build a image with the modified required values
modifiy the tp link header with a hex editor to match the expected values

Take a look at the following thread.

wifi_wisperer · July 19, 2018, 4:09am

@juppin - thanks so much. That thread is exactly what happened - in fact, I'm glad the openwrt/lede build you provided is still up because that flashed to my device.

Now it appears I have to write a new U-boot image to get any other image to take (or somehow modify the hw id) - using sysupgrade results in:
Invalid image, hardware ID mismatch, hw:ffffffff ffffffff image:c7000002 00000001.
Image check 'platform_check_image' failed.

wifi_wisperer · July 19, 2018, 4:29am

I just re-read your above comments. sysupgrade -F with a stripped boot loader factory image worked!

Thanks again!

Protopale · November 14, 2020, 4:05pm

How to strip the factory firmware?