Archer c7 v5 (Hex edit) Stripping Stock Firmware for Reverting to stock

I have compared the stock firmware 1.0.4 20180425-rel72768 in hex editor and binwalk and these are the screenshots

I have the US version of the archer c7 v5

Could someone please explain what sections in this binwalk output will be checked by the router before flashing it?

What is the stripping process in this firmware so that it can bypass the header checks whenever TFTP is used, it can recover the router. I am seeing many users not able to revert to stock since they encounter a timeout error at a particular segment, or a filetype error or sometimes the router doesn't even tell what the error is.

This is the same file in the hex editor. Where does the product version and the hardware version located in this file? I have seen some posts where changing it to 0xFF will bypass the TFTP checks.

Thank you for any and all responses.

If you're running OpenWrt, make a file that starts at the kernel uImage (here 0x12a36) by removing everything before that, then flash it with sysupgrade -F -n.

The new "safeloader" TP-Link header structure is complicated.

1 Like

My understanding is that the TPLink stock router(one that came fresh from the factory) also has this complicated safeloader TP-Link header in its flash chip, in addition to the firmware files from the website.

If I flash openwrt, will this safeloader header be overwritten by the contents of the openwrt factory bin? since the openwrt factory bins start at 0x21BD(8637 for 18.06.4) and at 0x223B(8763 for 19.07.4) while the stock firmware starts from 0x12a36(76342). Will this flashing(through tftp or webserver) corrupt the original_product_id and original_product_ver that is currently in the fresh-from-factory router?

Since these openwrt factory bins start early in the partition which is going to be flashed(compared to the stock firmware from tplink website), will it brick the router?

I am really confused about this.

I really appreciate your help, considering you do it on a volunteer basis for needy people like me. Thank you for the contribution.

The bootloader or the stock firmware examine the TP-Link header and break it into components, here bootloader and OS. Also a big part is validating the list of countries in the header vs the router's intended country. This is stored in the bootloader and I suppose in the stock firmware. An OpenWrt "factory" image has a very abbreviated version of the header just to meet those requirements, and it never contains new bootloader code.

OpenWrt doesn't ever overwrite a bootloader automatically. For some models, modifying the bootloader is required for installation, and the owner is directed to do that manually. Building bootloaders is mostly outside the scope of OpenWrt.

The header is not stored in the flash chip. It is used by stock processes (stock web gui or bootloader recovery) to verify and organize the firmware for flashing then discarded. OpenWrt "sysupgrade" images are purely byte for byte what should be written to the firmware partition of the flash chip. They have no header at all.