Archer TP-Link C60 Bad Magic

Installing and Using OpenWrt
1

Hello Folks,

I've been having some... Interesting issues with installing OpenWRT to my TP-Link C60 V2. Following the instructions on Serial + TFTP boot flashing here, unfortunately the device immediately returns with:

## Booting image at 9f030000 ...
*****Bad Magic Number*****

Which is rather unfortunate. I also did try to force it to load by going bootm 0x9f030000 which gave me the same angry bad magic number. I was able to successfully load the stock image back by starting up the httpd process in U-Boot. It also somehow kept all my previous configurations?

The current TP-Link firmware running on it is: Archer C60(CA)_V2_161206

A bit of an oddity I came accross is that it appears to have two separate u-boot environments running? The first one being the standard one you need to type tpl quickly to get into, with some additional TP Link functionality, and the second one being what looks to be a stock U-Boot without the extra commands.

Any ideas on how to get OpenWRT up and running on this router? What logs would I be able to provide?

I did also try to load up the OpenWRT image through the "emergency recovery" http server that I started, but it didn't like it either. I have a log captured of that (after the download and load into the address 0x80060000):

fw type name : .
Firmware process common.
Image verify OK!
Firmware file Verify ok!
[Error]sysmgr_proinfo_buildStruct():  647 @ unknown id(device_name), skip it.
[Error]sysmgr_cfg_checkSupportList():  971 @ 42520000 NOT Match.
[Error]sysmgr_cfg_checkSupportList():  971 @ 45550000 NOT Match.
[Error]sysmgr_cfg_checkSupportList():  971 @ 55530000 NOT Match.
Firmwave not supports, check failed.
[NM_Error](nm_checkUpdateContent) 01172: the firmware is not for this model
[NM_Error](nm_buildUpgradeStruct) 01274: checkUpdateContent failed.
## Error: HTTP upgrade file check failed!

Thanks!

2

Those support list entries are just ASCII for country codes in the header, here 42 52 = "BR" 45 55 = "EU" and 55 53 = "US". I guess you have a CA model, which is none of those.

Looking at the first 512 bytes of both firmwares should show you what to change in the OpenWrt one.

3

Thanks for the reply! I took a deeper look into the country codes showing up in the HTTP firmware upload - I do think it's a red herring (which is completely my fault for showing the HTTP firmware log vs the actual boot log) because when I upload the TP Link CA version firmware it does show similar errors:

fw type name : Cloud.
Firmware process common.
Image verify OK!
Firmware file Verify ok!
[Error]sysmgr_proinfo_buildStruct():  647 @ unknown id(device_name), skip it.
[Error]sysmgr_cfg_checkSupportList():  971 @ 00000000 NOT Match.
Firmwave supports, check OK.
 (curFw_ver, newFw_ver) == (2.0, 2.0)
Firmware Recovery check ok!
upgrade_filecheck ok
HTTP upload is done! Upgrading...
do http upgrade
fw type name : Cloud.
Firmware process common.
Image verify OK!
Firmware file Verify ok!
[Error]sysmgr_proinfo_buildStruct():  647 @ unknown id(device_name), skip it.
[Error]sysmgr_cfg_checkSupportList():  971 @ 00000000 NOT Match.
Firmwave supports, check OK.
 (curFw_ver, newFw_ver) == (2.0, 2.0)
Firmware Recovery check ok!
set integer flag to 0.
######################################################################
##########################################################
Done.
set integer flag to 1.
Firmware Recovery Success!
HTTP ugrade is done! Rebooting...

You can see that the sysmgr_cfg_checkSupportList comes up with the good firmware. All that said, I did spend some time looking at the differences + similarities between the OpenWRT, TP Link CA, and TP Link US first 512-bytes and could not authoritatively say what the important values would be unfortunately. I'm happy to attach them if you'd like to look into them further though

Importantly, this time, I have the commands I ran and the log from the "Bad Magic" after attempting to boot the OpenWRT image:

ath> tftp 0x81000000 tp_recovery.bin
Trying eth0
eth0 link down
FAIL
Trying eth1
Using eth1 device
TFTP from server 192.168.0.10; our IP address is 192.168.0.1
Filename 'tp_recovery.bin'.
Load address: 0x81000000
Loading: #################################################################
        <snip>
         #####
done
Bytes transferred = 4684496 (477ad0 hex)
ath> erase 0x9f030000 +0x477ad0
Erasing flash...
First 0x3 last 0x4a sector size 0x10000
  74
Erased 72 sectors
ath> cp.b 0x81000000 0x9f030000 0x477ad0
Copy to Flash... write addr: 9f030000
done
ath> reset

U-Boot 1.1.4 (Nov 29 2016 - 15:25:42)

ap151 - Dragonfly 1.0

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 402k for U-Boot at: 83f98000
Reserving 32832k for malloc() at: 81f88000
Reserving 44 Bytes for Board Info at: 81f87fd4
Reserving 36 Bytes for Global Data at: 81f87fb0
Reserving 128k for boot params() at: 81f67fb0
Stack Pointer at: 81f67f98
Now running in RAM - U-Boot at: 83f98000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Dragonfly----> S27 PHY *
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :50
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :50
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :50
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x82
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
factory boot check integer ok.
load fs uboot at 0x10000.
Autobooting in 1 seconds
## Starting application at 0x80010000 ...


U-Boot 1.1.4 (Nov 29 2016 - 15:25:24)

ap151 - Dragonfly 1.0

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 120k for U-Boot at: 83fe0000
Reserving 32832k for malloc() at: 81fd0000
Reserving 44 Bytes for Board Info at: 81fcffd4
Reserving 36 Bytes for Global Data at: 81fcffb0
Reserving 128k for boot params() at: 81faffb0
Stack Pointer at: 81faff98
Now running in RAM - U-Boot at: 83fe0000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Dragonfly----> S27 PHY *
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x82
Autobooting in 1 seconds
## Booting image at 9f030000 ...
Bad Magic Number
ath>

Compared to the working TP Link CA version firmware:


U-Boot 1.1.4 (Nov 29 2016 - 15:25:42)

ap151 - Dragonfly 1.0

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 402k for U-Boot at: 83f98000
Reserving 32832k for malloc() at: 81f88000
Reserving 44 Bytes for Board Info at: 81f87fd4
Reserving 36 Bytes for Global Data at: 81f87fb0
Reserving 128k for boot params() at: 81f67fb0
Stack Pointer at: 81f67f98
Now running in RAM - U-Boot at: 83f98000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Dragonfly----> S27 PHY *
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :50
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :50
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :50
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :50
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x82
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
factory boot check integer ok.
load fs uboot at 0x10000.
Autobooting in 1 seconds
## Starting application at 0x80010000 ...


U-Boot 1.1.4 (Nov 29 2016 - 15:25:24)

ap151 - Dragonfly 1.0

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 120k for U-Boot at: 83fe0000
Reserving 32832k for malloc() at: 81fd0000
Reserving 44 Bytes for Board Info at: 81fcffd4
Reserving 36 Bytes for Global Data at: 81fcffb0
Reserving 128k for boot params() at: 81faffb0
Stack Pointer at: 81faff98
Now running in RAM - U-Boot at: 83fe0000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Dragonfly----> S27 PHY *
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x82
Autobooting in 1 seconds
## Booting image at 9f030000 ...
   Image Name:   MIPS OpenWrt Linux-3.3.8
   Created:      2016-12-06   7:00:35 UTC
   Image Type:   MIPS Linux Multi-File Image (lzma compressed)
   Data Size:    1042944 Bytes = 1018.5 kB
   Load Address: 80060000
   Entry Point:  80060000
   Contents:
   Image 0:  1042936 Bytes = 1018.5 kB
   Verifying Checksum at 0x9f030040 ...OK
   Uncompressing Multi-File Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

<boots successfully into the TP Link software>

Interestingly, the TP Link firmware boots an imaged named "OpenWRT Linux".
I hope this provides a little extra clarity to my original post with more pertinent logs?

4

You're seeing country code 00 tested and fail, then most likely the next one on the list in the CA stock firmware is CA which passes. But that doesn't generate a specific message other than Firmware supports, check OK.

When you write directly to flash use the sysupgrade bin file not the factory file.

Another approach is to get the initramfs bin file for your model from the snapshots directory and boot it in RAM, (tftpboot to 0x80060000 then bootm 0x80060000) then log in and use its sysupgrade mechanism to install a release sysupgrade to flash. This is a recommended procedure over erasing / writing flash directly which can destroy vital data in flash if done wrong.

2 Likes
5

That makes sense. Regardless it isn't clear where exactly this is reading values from. Is 971 the 971th byte? 971th Octet? I'm confident it's not in the first 512 bytes as those hex values (43 41 for CA) do not appear in that sector. They also don't appear at the 971th byte either

That was the problem. One of those occasions I lucked out and didn't bust variables in flash that I shouldn't have by using the wrong image. Now that that's all up and running, I've successfully installed + configured it and it's working like a dream! Thank you!

So I did try this out as well, and the result was the same "Bad Magic" error as I had before with the (incorrect factory) image. I was using the initramfs image 19.07.2

Here's the log:

ath> tftpboot 0x80060000 openwrt_initramfs.bin
Trying eth0
Using eth0 device
TFTP from server 192.168.0.10; our IP address is 192.168.0.1
Filename 'openwrt_initramfs.bin'.
Load address: 0x80060000
Loading: T T
Retry count exceeded; starting again
Trying eth1
Using eth1 device
TFTP from server 192.168.0.10; our IP address is 192.168.0.1
Filename 'openwrt_initramfs.bin'.
Load address: 0x80060000
Loading: #################################################################
         <snip>
         ###############################
done
Bytes transferred = 3816912 (3a3dd0 hex)
ath> bootm 0x80060000
## Booting image at 80060000 ...
Bad Magic Number
ath>

Not sure if that was the same initramfs that you alluded to, but overall we're up and running. Thank you

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.