Archer D7 support

I am going to add support for this modem-router with this commit.
Small HW recap:
TP-Link Archer D7 v1 is a dual-band AC1750 router + modem.
The router section is based on Qualcomm/Atheros QCA9558 + QCA9880.
The "DSL" section is based on BCM6318 but it's currently not supported.

Before to create a proper PR i would like to solve some problems if someone could help me:

1) Switch configuration (IMPORTANT)
The BCM chip is connected to the QCA through the 6th port of the switch.
The right configuration should be:

ucidef_set_interfaces_lan_wan "eth1.1" "eth0.2"
ucidef_add_switch "switch0" \
	"0@eth1" "2:lan:4" "3:lan:3" "4:lan:2" "5:lan:1" "6@eth0" "1:wan"

Although with this configuration we can try to make the DSL part working, a common user get an alwas connected but not working port to deal with.
So I decide to ignore the DSL port in the switch configuration and assing the last LAN port as WAN (it's labelled LAN/WAN on the case):

ucidef_add_switch "switch0" \
	"0@eth1" "2:wan:4" "3:lan:3" "4:lan:2" "5:lan:1"

Is this the right way? Probably would be better to create another wan port in another vlan...

2) Network LED always ON
Because of the internal connection to the BCM CPU, the switch has always a connected port.
Moreover this modem has just one led to show lan activity... so with this configuration I have the led always on even if no ethernet cables are connected to it.

ucidef_set_led_switch "lan" "LAN" "$board:white:lan" "switch0" "0x1E"

I didn't find any hint online about the last value... or how to find it... any advice?
(p.s. The commit I linked says that I am missing the GPIO number... later I found it and fixed)

3) WIFI2G-WIFI5G and USB1-USB2 with one LED
There is just a led for both wifi interfaces and both USB ports.
Starting with the USB ports, there is an option in LUCI to enable the LED with both USB ports, but I don't know how to replicate it in the 01_leds file. I should need something like:

ucidef_set_led_usbdev "usb" "USB" "$board:white:usb" "1-1;2-1"

For what concern the WLAN led I have no idea how to configure both interfaces using one LED even in LUCI...

4) TPLINK_FLASHLAYOUT := 16Mltq
Apparently this is the only ar71xx device to require the Tp-Link header v3, while other ar71xx needs the safeloader or the the v1. However a flash layout for this devices exists only for some lantiq devices. I got the fw working using the 16Mltq layout but this is not formally correct in theory, but I think that is a waste of time to rewrite the flash layout scheme just for this device. What I should do?

5) Flashing the firmware:
Until now I worked only using the initramfs image. So I bought a CH341A in case of bad problems, but I never used a programmer like this and according to the supported chip list in "flashrom" or in the original software of the productor, there is no 25Q128FVSG chip. It's safe or not?

NOT NEEDED FOR THE PR

6) Speak to BCM6318 (Probably needs a separate thread):
Would be cool to reverse engineer the communication between these two cpu and make the DSL part fully working. For what I can see, they are using the same configuration of the VR2600.
If someone else is interested we could create a separate thread

67) Missing INTERNET and BROADBAND LEDS:
Probaly they are connected directly to the BCM CPU
The only pin that can lights them up is:
gpiochip 0 pin 19... but it's just a reset... in fact if I type:

echo 19 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio19/direction

These two leds blink one time and the BCM CPU resets itself with this message:

irq.c: reset_fac_irq is set to hi_trigger.
Restore to Factory Default Setting ***

However I would not mind this because it should be connected to the main DSL problem

So after building the firmware myself, I realized that flashing only works with a UART connection to the Router.? Also, isn't there some tftp recovery mode over 192.168.0.66 on the D7 (couldn't find documentation)? Is there a chance that the D7 will ever be officially supported? Since this router costs only 30€ used, it would be sad if it can't get flashed the easy way.

TP-Link modems typically have a TFTP mode. The address has changed with various versions. tcpdump or, better, wireshark running on your connected "desktop" would help to see what packets it is sending out during boot. Then once you have a TFTP server up on that address, you can "snoop" to see the file name it is trying to download.

Some of the TFTP variants are described on the Archer C5/C7 page https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500

Wireshark didn't log something tftp like. After some researche i am assuming that TP-Link routers that use version 3 header are a bit more complicated. -.- (see TD-W9980, TD-W8970)

And... I bricked mine
I tried to flash stock firmware after openwrt didn't work

Trying to debrick (unsuccessful)

1. Building usable FW
dd if=Archer_D7bv1_0.9.1_0.6_up_boot(150113)_2015-01-13_17.48.30.bin of=0101A8C0.img skip=257 bs=512

2. Flashing it

U-Boot 1.1.4 (Jan 21 2016 - 16:02:58)

ap135 - Scorpion 1.0
DRAM:  128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
ath_gmac_enet_initialize: reset mask:c02200
Scorpion  ----> S17 PHY *
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7114
eth0: c4:e9:84:d6:6c:81
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: c4:e9:84:d6:6c:82
eth1 up
eth0, eth1
Setting 0x18116290 to 0x4081214f
Hit any key to stop autoboot:  0
AP135> tftpboot
dup 1 speed 1000
*** Warning: no boot file name; using '0101A8C0.img'
Using eth0 device
TFTP from server 192.168.1.100; our IP address is 192.168.1.1
Filename '0101A8C0.img'.
Load address: 0x80100000
Loading: T T T T #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #############
done
Bytes transferred = 18367460 (11843e4 hex)
AP135> erase 0x9f020000 +f80000
Erasing flash...
First 0x2 last 0xf9 sector size 0x10000                                                       249
Erased 248 sectors
AP135> cp.b 0x80100000 0x9f020000 0xf80000
Copy to Flash... write addr: 9f020000
done
AP135> reset

3. Router still bricked

U-Boot 1.1.4 (Jan 21 2016 - 16:02:58)

ap135 - Scorpion 1.0
DRAM:  128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
ath_gmac_enet_initialize: reset mask:c02200
Scorpion  ----> S17 PHY *
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7114
eth0: c4:e9:84:d6:6c:81
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: c4:e9:84:d6:6c:82
eth1 up
eth0, eth1
Setting 0x18116290 to 0x4081214f
Hit any key to stop autoboot:  0
## Booting image at 80800000 ...
        Uncompressing Kernel Image ... OK

Starting kernel ...

Booting QCA955x
Linux version 2.6.31--LSDK-9.5.2.18 (swd@localhost.localdomain) (gcc version 4.3.3 (GCC) ) #4 Mon Dec 22 15:16:18 CST 2014
flash_size passed from bootloader = 16
arg 1: console=ttyS0,115200
arg 2: root=31:02
arg 3: rootfstype=squashfs
arg 4: init=/sbin/init
arg 5: mtdparts=ath-nor0:128k(u-boot),1280k(kernel),14656k(rootfs),64k(radioDECT),64k(config),64k(romfs),64k(rom),64k(radio)
arg 6: mem=128M
CPU revision is: 00019750 (MIPS 74Kc)
cpu apb ddr apb ath_sys_frequency: cpu 720 ddr 600 ahb 200
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1280k(kernel),14656k(rootfs),64k(radioDECT),64k(config),64k(romfs),64k(rom),64k(radio) mem=128M
PID hash table entries: 512 (order: 9, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 112256k/131072k available (2268k kernel code, 18644k reserved, 600k data, 136k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 359.42 BogoMIPS (lpj=718848)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 8030f300 (0xe00000 bytes)
********************************************

NET: Registered protocol family 16
ath_pcibios_init: bus 0
***** Warning PCIe 0 H/W not found !!!
registering PCI controller with io_map_base unset
ath_pcibios_init: bus 1
ath_pcibios_init(232): PCI 1 CMD write: 0x356
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
pcibios_map_irq: IRQ 76 for bus 1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
fuse init (API version 7.12)
msgmni has been set to 219
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
loop: module loaded
PPP generic driver version 2.4.2
NET: Registered protocol family 24
8 cmdlinepart partitions found on MTD device ath-nor0
Creating 8 MTD partitions on "ath-nor0":
0x000000000000-0x000000020000 : "u-boot"
0x000000020000-0x000000160000 : "kernel"
0x000000160000-0x000000fb0000 : "rootfs"
0x000000fb0000-0x000000fc0000 : "radioDECT"
0x000000fc0000-0x000000fd0000 : "config"
0x000000fd0000-0x000000fe0000 : "romfs"
0x000000fe0000-0x000000ff0000 : "rom"
0x000000ff0000-0x000001000000 : "radio"
Mirror/redirect action on
u32 classifier
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (2048 buckets, 10240 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
arch/mips/atheros/gpio.c (ath_simple_config_init) JUMPSTART_GPIO: 16
athwdt_init: Registering WDT success
ath_otp_init: Registering OTP success
List of all partitions:
1f00             128 mtdblock0 (driver?)
1f01            1280 mtdblock1 (driver?)
1f02           14656 mtdblock2 (driver?)
1f03              64 mtdblock3 (driver?)
1f04              64 mtdblock4 (driver?)
1f05              64 mtdblock5 (driver?)
1f06              64 mtdblock6 (driver?)
1f07              64 mtdblock7 (driver?)
No filesystem could mount root, tried:  squashfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,2)

But I got OpenWrt to work with that initramfs and bootm thing

Suggestions?
THX

You transfered about 17,5 Megabyte! I am not at home so I can't verify what I am saying, but from what I remember the tplink firmwares includes also the modem firmware, so you should remove first that part (2Megabyte) and then the bootloader header part as you did... However I'll be at home in 2-3 hours and I'll check what I said
P.s. Do you have an ADSL connection? I compiled tcpdump for the stock firmware so we can capture the traffic between the two processors but I don't have ADSL anymore so I can't test what happens when the modem connects

Oh that makes total sense now.. i realized that it is to big but couldn't figure out what i also want to delete. I sadly also don't got ADSL but at my girlfriends home I might could do some tests for a short period just for pulling some loggs. If the ISP "Deutsche Telekom" doesn't block a little router change on a complicated LTE/ADSL Hybrid contract without telling them.

Edit: I deleted from 0xFC0200 to end and skiped 257 at the begining using dd. Now my image size is: 16384000 (fa0000 hex) [your image was 16646144 (fe0000 hex)] and it still hangs at the same part as before.

EDIT
From what I see here, if you wrote correctly your memory, the problem could be a wrong bootargs...
So in the bootloader if you type:
printenv bootargs
should print something like this:

bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1280k(kernel),14656k(rootfs),64k(radioDECT),64k(config),64k(romfs),64k(rom),64k(radio)

END EDIT

Do you have a backup of your modem? Would be easier to recover...
Your commands souldn't have overwritten any important partition because you erased just f80000... but I don't know what you did to brick it the first time.

Could you try these commands in the bootloader?

md.b 0x9FFDF0F0 0x30

This should print something like this (With your mac address instead of X):

9ffdf0f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
9ffdf100: XX XX XX XX XX XX ff ff ff ff ff ff ff ff ff ff    XXXXXX..........
9ffdf110: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................

Then try:

md.b 0x9FFF0FF0 0x30
This should print the beginning of your art partition... something like this:

9fff0ff0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
9fff1000: 02 02 00 02 03 04 05 06 00 00 00 00 00 00 00 00    ................
9fff1010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1f 00    ................

Mhh could be the case that I erased more than f80000, i'm not that sure...

Backup of my modem... I googled a bit how to backup before I bricked but didn't find a quick solution so I just backuped the configuration within the TP-Link firmware hoping that it is usefull.( I think this was stupid but back than when i used JTAG on the WRT54G it was so easy to backup the wholeflash. but on serial i am a bit lost with extracting data)

Here are my results to the commands

AP135> printenv bootargs
bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1280k(kernel),14656k(rootfs),64k(radioDECT),64k(config),64k(romfs),64k(rom),64k(radio)
AP135> md.b 0x9FFDF0F0 0x30
9ffdf0f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
9ffdf100: c4 e9 84 d6 6c 81 ff ff ff ff ff ff ff ff ff ff    ....l...........
9ffdf110: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
AP135> md.b 0x9FFF0FF0 0x30
9fff0ff0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
9fff1000: 02 02 00 02 03 04 05 06 00 00 00 00 00 00 00 00    ................
9fff1010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1f 00    ................
AP135>

Everything seems good.

1. Bootloader is working
2. You didn't overwrite art partition

And... probably I found your problem... there is also the bootloader to remove (first 20000 hex)

I successfully booted from ram (tftpboot and bootm method) this firmware (it's the original firmware but cutted)
Try it and let me know!

And I also have another good news... I got complete shell access without opening the router, using the same trick used for the w9980!

So my result & the flashing process with the firmware from above (still not working)

U-Boot 1.1.4 (Jan 21 2016 - 16:02:58)

ap135 - Scorpion 1.0
DRAM:  128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
ath_gmac_enet_initialize: reset mask:c02200
Scorpion  ----> S17 PHY *
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7114
eth0: c4:e9:84:d6:6c:81
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: c4:e9:84:d6:6c:82
eth1 up
eth0, eth1
Setting 0x18116290 to 0x4081214f
Hit any key to stop autoboot:  0
AP135> tftpboot 0x80800000 archer_d7b_orig.bin
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.1.100; our IP address is 192.168.1.1
Filename 'archer_d7b_orig.bin'.
Load address: 0x80800000
Loading: #################################################################
done
Bytes transferred = 16384000 (fa0000 hex)
AP135> bootm
## Booting image at 80800000 ...
        Uncompressing Kernel Image ... OK

Starting kernel ...

Booting QCA955x
Linux version 2.6.31--LSDK-9.5.2.18 (swd@localhost.localdomain) (gcc version 4.3.3 (GCC) ) #4 Mon Dec 22 15:16:18 CST 2014
flash_size passed from bootloader = 16
arg 1: console=ttyS0,115200
arg 2: root=31:02
arg 3: rootfstype=squashfs
arg 4: init=/sbin/init
arg 5: mtdparts=ath-nor0:128k(u-boot),1280k(kernel),14656k(rootfs),64k(radioDECT),64k(config),64k(romfs),64k(rom),64k(radio)
arg 6: mem=128M
CPU revision is: 00019750 (MIPS 74Kc)
cpu apb ddr apb ath_sys_frequency: cpu 720 ddr 600 ahb 200
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1280k(kernel),14656k(rootfs),64k(radioDECT),64k(config),64k(romfs),64k(rom),64k(radio) mem=128M
PID hash table entries: 512 (order: 9, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 112256k/131072k available (2268k kernel code, 18644k reserved, 600k data, 136k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 359.42 BogoMIPS (lpj=718848)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 8030f300 (0xe00000 bytes)
********************************************

NET: Registered protocol family 16
ath_pcibios_init: bus 0
***** Warning PCIe 0 H/W not found !!!
registering PCI controller with io_map_base unset
ath_pcibios_init: bus 1
ath_pcibios_init(232): PCI 1 CMD write: 0x356
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
pcibios_map_irq: IRQ 76 for bus 1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
fuse init (API version 7.12)
msgmni has been set to 219
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
loop: module loaded
PPP generic driver version 2.4.2
NET: Registered protocol family 24
8 cmdlinepart partitions found on MTD device ath-nor0
Creating 8 MTD partitions on "ath-nor0":
0x000000000000-0x000000020000 : "u-boot"
0x000000020000-0x000000160000 : "kernel"
0x000000160000-0x000000fb0000 : "rootfs"
0x000000fb0000-0x000000fc0000 : "radioDECT"
0x000000fc0000-0x000000fd0000 : "config"
0x000000fd0000-0x000000fe0000 : "romfs"
0x000000fe0000-0x000000ff0000 : "rom"
0x000000ff0000-0x000001000000 : "radio"
Mirror/redirect action on
u32 classifier
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (2048 buckets, 10240 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
arch/mips/atheros/gpio.c (ath_simple_config_init) JUMPSTART_GPIO: 16
athwdt_init: Registering WDT success
ath_otp_init: Registering OTP success
List of all partitions:
1f00             128 mtdblock0 (driver?)
1f01            1280 mtdblock1 (driver?)
1f02           14656 mtdblock2 (driver?)
1f03              64 mtdblock3 (driver?)
1f04              64 mtdblock4 (driver?)
1f05              64 mtdblock5 (driver?)
1f06              64 mtdblock6 (driver?)
1f07              64 mtdblock7 (driver?)
No filesystem could mount root, tried:  squashfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,2)

& Great that the trick also works on this router. (I also wanted to try it but somehow i didn't do it after downloading the tools)

Mmmmm could you try to flash it on the nor?

tftp 0x81000000 [name of your firmware file].bin
erase 0x9f020000 +f80000
cp.b 0x81000000 0x9f020000 0xf80000
reset

Is this the correct procedure for nor flash?

With this I am still getting the same error...If nothing works I could try getting a new router or a flash programmer.

In my opinion your router can be fully recovered... because you have a working bootloader and a working art partition...
BUT before any other experiment, I advice you to boot the openwrt image (the initramfs image should work) and then do a backup of your mtd partitions. The first and the last are the most important.
However... I am not a bootloader expert but your commands should be correct.
I have just one dubt... I don't know if the whole kernel+rootfs partition must be erased before you flash the new firmware.
If my assumption is correct, you should do:

tftp 0x81000000 [name of your firmware file].bin
erase 0x9f020000 +fa0000
cp.b 0x81000000 0x9f020000 0xf80000
reset

Finger crossed..

So I used the Skript for Generic Backup / Create Full MTD Backup. Backup worked nicely! Should have done this before bricking it...

But sadly erasing kernel+rootfs and flashing than again didn't do a change.

ok... probably we are getting near the solution...
Do you have the "b" version of the D7?

I downloaded the same "Archer_D7bv1_0.9.1_0.6_up_boot(150113)_2015-01-13_17.48.30.bin" version that you used earlier today...but that "b" version of the firmware has a smaller kernel partition and bigger rootfs partition... and that's why you have a "splitted" firmware in two partitions and it can't be started...

But your bootargs are like the "standard" version...

1152k(kernel),14848k(rootfs) = B VERSION
vs
1280k(kernel),14656k(rootfs) = STANDARD VERSION

Did you edited it in the bootloader?

So you can choose one of these:

1. Edit the bootargs in the bootloader like the "b" version:
   bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1152k(kernel),14848k(rootfs),64k(config),64k(romfs),64k(reserve),64k(radio)
2. Cut the standard firmware version and flash it

If you have the D7b, I would choose the first one...

Okay, after realizing that my Device is a "Archer D7 EU v1 " not a "Archer D7b V1" and finding the right image which strangely is not provided on the German TP-Link website. I downloaded the image stripped it (dd skip=257 bs=512 for the beginning and for the modem firmware by using hex editor) flashed it:

U-Boot 1.1.4 (Jan 21 2016 - 16:02:58)
...
Hit any key to stop autoboot:  0

AP135> tftp 0x81000000 TheRightFirmwareForMyRouter_haxed_stripped.bin

dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.1.100; our IP address is 192.168.1.1
Filename 'TheRightFirmwareForMyRouter_haxed_stripped.bin'.
Load address: 0x81000000
Loading: #################################################################
         #################################################################
done
Bytes transferred = 12832256 (c3ce00 hex)  //yes I deleted to much at the end but it worked

AP135> erase 0x9f020000 +f80000

Erasing flash...
First 0x2 last 0xf9 sector size 0x10000                                                              249
Erased 248 sectors

AP135> cp.b 0x81000000 0x9f020000 0xf80000

Copy to Flash... write addr: 9f020000
done

AP135> reset






just a normal boot from here on.....









U-Boot 1.1.4 (Jan 21 2016 - 16:02:58)

ap135 - Scorpion 1.0
DRAM:  128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
ath_gmac_enet_initialize: reset mask:c02200
Scorpion  ----> S17 PHY *
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7114
eth0: c4:e9:84:d6:6c:81
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: c4:e9:84:d6:6c:82
eth1 up
eth0, eth1
Setting 0x18116290 to 0x4081214f
Hit any key to stop autoboot:  0
## Booting image at 80800000 ...
        Uncompressing Kernel Image ... OK

Starting kernel ...

Booting QCA955x
Linux version 2.6.31--LSDK-9.5.2.18 (root@localhost.localdomain) (gcc version 4.3.3 (GCC) ) #2 Thu Jan 21 16:05:34 CST 2016
flash_size passed from bootloader = 16
arg 1: console=ttyS0,115200
arg 2: root=31:02
arg 3: rootfstype=squashfs
arg 4: init=/sbin/init
arg 5: mtdparts=ath-nor0:128k(u-boot),1280k(kernel),14656k(rootfs),64k(radioDECT),64k(config),64k(romfs),64k(rom),64k(radio)
arg 6: mem=128M
CPU revision is: 00019750 (MIPS 74Kc)
cpu apb ddr apb ath_sys_frequency: cpu 720 ddr 600 ahb 200
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1280k(kernel),14656k(rootfs),64k(radioDECT),64k(config),64k(romfs),64k(rom),64k(radio) mem=128M
PID hash table entries: 512 (order: 9, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 112256k/131072k available (2268k kernel code, 18644k reserved, 600k data, 136k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 359.42 BogoMIPS (lpj=718848)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 8030f300 (0xe00000 bytes)
********************************************

NET: Registered protocol family 16
ath_pcibios_init: bus 0
***** Warning PCIe 0 H/W not found !!!
registering PCI controller with io_map_base unset
ath_pcibios_init: bus 1
ath_pcibios_init(232): PCI 1 CMD write: 0x356
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
pcibios_map_irq: IRQ 76 for bus 1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
fuse init (API version 7.12)
msgmni has been set to 219
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
loop: module loaded
PPP generic driver version 2.4.2
NET: Registered protocol family 24
8 cmdlinepart partitions found on MTD device ath-nor0
Creating 8 MTD partitions on "ath-nor0":
0x000000000000-0x000000020000 : "u-boot"
0x000000020000-0x000000160000 : "kernel"
0x000000160000-0x000000fb0000 : "rootfs"
0x000000fb0000-0x000000fc0000 : "radioDECT"
0x000000fc0000-0x000000fd0000 : "config"
0x000000fd0000-0x000000fe0000 : "romfs"
0x000000fe0000-0x000000ff0000 : "rom"
0x000000ff0000-0x000001000000 : "radio"
Mirror/redirect action on
u32 classifier
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (2048 buckets, 10240 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
arch/mips/atheros/gpio.c (ath_simple_config_init) JUMPSTART_GPIO: 16
athwdt_init: Registering WDT success
ath_otp_init: Registering OTP success
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.  //this is the part where it paniked
Freeing unused kernel memory: 136k freed
starting pid 165, tty '': '/etc/init.d/rcS'
mount: mounting devpts on /dev/pts failed: No such device
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Port Status 1c000004
ath-ehci ath-ehci.0: ATH EHCI
ath-ehci ath-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci ath-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci ath-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Port Status 1c000000
ath-ehci1 ath-ehci1.1: ATH EHCI
ath-ehci1 ath-ehci1.1: new USB bus registered, assigned bus number 2
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci1 ath-ehci1.1: irq 3, io mem 0x1b400000
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci1 ath-ehci1.1: USB 2.0 started, EHCI 1.00
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
dns_init
domain_name:tplinkmodem.net
PPPoL2TP kernel driver, V1.0
and so on....

And for save cleanup I flashed the FW as It came from TP-Link thru the TP-Link web interface
Looks like this in Serial if someone needs this info:

[ rsl_sys_verifyFirmware ] 1230:  Image Signature check OK(firmwareLength=0x1196564)!

[ rsl_sys_updateFirmware ] 1301:  NEW: swRevision-0x55aa0106, platformVer-0xa5000901, swSignature-0x90101

[ rsl_getCurrSwSignature ] 761:  CURR: swRevision-0x55aa0106, platformVer-0xa5000901, swSignature-0x90101

**** drop_caches_sysctl_handler: all done timer added ...****
Erase from 0 with fb0000 bytes .............................FWLOG: [877582] WAL_DBGID_BB_WDOG_TRIGGERED ( 0xd640e, 0x2300000a, 0x11030, 0xfe7 )
............................................................................................................................................................
Enet:1 port:0 down
............
Enet:1 port0 up
......................................................
Write flash to 0, len is 10000
Write flash to 10000, len is 10000
Write flash to 20000, len is 10000
Write flash to 30000, len is 10000
Write flash to 40000, len is 10000
Write flash to 50000, len is 10000
Write flash to 60000, len is 10000
Write flash to 70000, len is 10000
Write flash to 80000, len is 10000
Write flash to 90000, len is 10000
Write flash to a0000, len is 10000
Write flash to b0000, len is 10000
Write flash to c0000, len is 10000
Write flash to d0000, len is 10000
Write flash to e0000, len is 10000
Write flash to f0000, len is 10000
Write flash to 100000, len is 10000
Write flash to 110000, len is 10000
Write flash to 120000, len is 10000
Write flash to 130000, len is 10000
Write flash to 140000, len is 10000
Write flash to 150000, len is 10000
Write flash to 160000, len is 10000
Write flash to 170000, len is 10000
Write flash to 180000, len is 10000
Write flash to 190000, len is 10000
Write flash to 1a0000, len is 10000
Write flash to 1b0000, len is 10000
Write flash to 1c0000, len is 10000
Write flash to 1d0000, len is 10000
Write flash to 1e0000, len is 10000
Write flash to 1f0000, len is 10000
Write flash to 200000, len is 10000
Write flash to 210000, len is 10000
Write flash to 220000, len is 10000
Write flash to 230000, len is 10000
Write flash to 240000, len is 10000
Write flash to 250000, len is 10000
Write flash to 260000, len is 10000
Write flash to 270000, len is 10000
Write flash to 280000, len is 10000
Write flash to 290000, len is 10000
Write flash to 2a0000, len is 10000
Write flash to 2b0000, len is 10000
Write flash to 2c0000, len is 10000
Write flash to 2d0000, len is 10000
Write flash to 2e0000, len is 10000
Write flash to 2f0000, len is 10000
Write flash to 300000, len is 10000
Write flash to 310000, len is 10000
Write flash to 320000, len is 10000
Write flash to 330000, len is 10000
Write flash to 340000, len is 10000
Write flash to 350000, len is 10000
Write flash to 360000, len is 10000
Write flash to 370000, len is 10000
Write flash to 380000, len is 10000
Write flash to 390000, len is 10000
Write flash to 3a0000, len is 10000
Write flash to 3b0000, len is 10000
Write flash to 3c0000, len is 10000
Write flash to 3d0000, len is 10000
Write flash to 3e0000, len is 10000
Write flash to 3f0000, len is 10000
Write flash to 400000, len is 10000
Write flash to 410000, len is 10000
Write flash to 420000, len is 10000
Write flash to 430000, len is 10000
Write flash to 440000, len is 10000
Write flash to 450000, len is 10000
Write flash to 460000, len is 10000
Write flash to 470000, len is 10000
Write flash to 480000, len is 10000
Write flash to 490000, len is 10000
Write flash to 4a0000, len is 10000
Write flash to 4b0000, len is 10000
Write flash to 4c0000, len is 10000
Write flash to 4d0000, len is 10000
Write flash to 4e0000, len is 10000
Write flash to 4f0000, len is 10000
Write flash to 500000, len is 10000
Write flash to 510000, len is 10000
Write flash to 520000, len is 10000
Write flash to 530000, len is 10000
Write flash to 540000, len is 10000
Write flash to 550000, len is 10000
Write flash to 560000, len is 10000
Write flash to 570000, len is 10000
Write flash to 580000, len is 10000
Write flash to 590000, len is 10000
Write flash to 5a0000, len is 10000
Write flash to 5b0000, len is 10000
Write flash to 5c0000, len is 10000
Write flash to 5d0000, len is 10000
Write flash to 5e0000, len is 10000
Write flash to 5f0000, len is 10000
Write flash to 600000, len is 10000
Write flash to 610000, len is 10000
Write flash to 620000, len is 10000
Write flash to 630000, len is 10000
Write flash to 640000, len is 10000
Write flash to 650000, len is 10000
Write flash to 660000, len is 10000
Write flash to 670000, len is 10000
Write flash to 680000, len is 10000
Write flash to 690000, len is 10000
Write flash to 6a0000, len is 10000
Write flash to 6b0000, len is 10000
Write flash to 6c0000, len is 10000
Write flash to 6d0000, len is 10000
Write flash to 6e0000, len is 10000
Write flash to 6f0000, len is 10000
Write flash to 700000, len is 10000
Write flash to 710000, len is 10000
Write flash to 720000, len is 10000
Write flash to 730000, len is 10000
Write flash to 740000, len is 10000
Write flash to 750000, len is 10000
Write flash to 760000, len is 10000
Write flash to 770000, len is 10000
Write flash to 780000, len is 10000
Write flash to 790000, len is 10000
Write flash to 7a0000, len is 10000
Write flash to 7b0000, len is 10000
Write flash to 7c0000, len is 10000
Write flash to 7d0000, len is 10000
Write flash to 7e0000, len is 10000
Write flash to 7f0000, len is 10000
Write flash to 800000, len is 10000
Write flash to 810000, len is 10000
Write flash to 820000, len is 10000
Write flash to 830000, len is 10000
Write flash to 840000, len is 10000
Write flash to 850000, len is 10000
Write flash to 860000, len is 10000
Write flash to 870000, len is 10000
Write flash to 880000, len is 10000
Write flash to 890000, len is 10000
Write flash to 8a0000, len is 10000
Write flash to 8b0000, len is 10000
Write flash to 8c0000, len is 10000
Write flash to 8d0000, len is 10000
Write flash to 8e0000, len is 10000
Write flash to 8f0000, len is 10000
Write flash to 900000, len is 10000
Write flash to 910000, len is 10000
Write flash to 920000, len is 10000
Write flash to 930000, len is 10000
Write flash to 940000, len is 10000
Write flash to 950000, len is 10000
Write flash to 960000, len is 10000
Write flash to 970000, len is 10000
Write flash to 980000, len is 10000
Write flash to 990000, len is 10000
Write flash to 9a0000, len is 10000
Write flash to 9b0000, len is 10000
Write flash to 9c0000, len is 10000
Write flash to 9d0000, len is 10000
Write flash to 9e0000, len is 10000
Write flash to 9f0000, len is 10000
Write flash to a00000, len is 10000
Write flash to a10000, len is 10000
Write flash to a20000, len is 10000
Write flash to a30000, len is 10000
Write flash to a40000, len is 10000
Write flash to a50000, len is 10000
Write flash to a60000, len is 10000
Write flash to a70000, len is 10000
Write flash to a80000, len is 10000
Write flash to a90000, len is 10000
Write flash to aa0000, len is 10000
Write flash to ab0000, len is 10000
Write flash to ac0000, len is 10000
Write flash to ad0000, len is 10000
Write flash to ae0000, len is 10000
Write flash to af0000, len is 10000
Write flash to b00000, len is 10000
Write flash to b10000, len is 10000
Write flash to b20000, len is 10000
Write flash to b30000, len is 10000
Write flash to b40000, len is 10000
Write flash to b50000, len is 10000
Write flash to b60000, len is 10000
Write flash to b70000, len is 10000
Write flash to b80000, len is 10000
Write flash to b90000, len is 10000
Write flash to ba0000, len is 10000
Write flash to bb0000, len is 10000
Write flash to bc0000, len is 10000
Write flash to bd0000, len is 10000
Write flash to be0000, len is 10000
Write flash to bf0000, len is 10000
Write flash to c00000, len is 10000
Write flash to c10000, len is 10000
Write flash to c20000, len is 10000
Write flash to c30000, len is 10000
Write flash to c40000, len is 10000
Write flash to c50000, len is 10000
Write flash to c60000, len is 10000
Write flash to c70000, len is 10000
Write flash to c80000, len is 10000
Write flash to c90000, len is 10000
Write flash to ca0000, len is 10000
Write flash to cb0000, len is 10000
Write flash to cc0000, len is 10000
Write flash to cd0000, len is 10000
Write flash to ce0000, len is 10000
Write flash to cf0000, len is 10000
Write flash to d00000, len is 10000
Write flash to d10000, len is 10000
Write flash to d20000, len is 10000
Write flash to d30000, len is 10000
Write flash to d40000, len is 10000
Write flash to d50000, len is 10000
Write flash to d60000, len is 10000
Write flash to d70000, len is 10000
Write flash to d80000, len is 10000
Write flash to d90000, len is 10000
Write flash to da0000, len is 10000
Write flash to db0000, len is 10000
Write flash to dc0000, len is 10000
Write flash to dd0000, len is 10000
Write flash to de0000, len is 10000
Write flash to df0000, len is 10000
Write flash to e00000, len is 10000
Write flash to e10000, len is 10000
Write flash to e20000, len is 10000
Write flash to e30000, len is 10000
Write flash to e40000, len is 10000
Write flash to e50000, len is 10000
Write flash to e60000, len is 10000
Write flash to e70000, len is 10000
Write flash to e80000, len is 10000
Write flash to e90000, len is 10000
Write flash to ea0000, len is 10000
Write flash to eb0000, len is 10000
Write flash to ec0000, len is 10000
Write flash to ed0000, len is 10000
Write flash to ee0000, len is 10000
Write flash to ef0000, len is 10000
Write flash to f00000, len is 10000
Write flash to f10000, len is 10000
Write flash to f20000, len is 10000
Write flash to f30000, len is 10000
Write flash to f40000, len is 10000
Write flash to f50000, len is 10000
Write flash to f60000, len is 10000
Write flash to f70000, len is 10000
Write flash to f80000, len is 10000
Write flash to f90000, len is 10000
Write flash to fa0000, len is 10000


U-Boot 1.1.4 (Jan 21 2016 - 16:02:58)
...

Thanks a lot for your help and time. It was a somehow stupid mistake...

That's a great news! Good job!
However, this is tcpdump compiled for the OEM firmware... If you want to try it, you have to intercept the traffic from eth0.1 (it's the internal ethernet port connected to the other cpu)... but probably is better to start a new thread just for this

If I am able to run the tcpdump we might start a thread but right now i am not sure what to do with the file, but i will do some research around the whole topic. Also from now on my computer tinker time is a bit limited for the next 2weeks due to vacation.

Don't worry I'll start a new thread later this day with the instructions to run it, so everyone can help.
However this problem is not blocking the commit so there is no hurry!

This is the link for the new thread: