Bricked Archer c7v5 while trying to remove DDWRT

Hello,
Since one week or two i am trying to remove DDWRT to install OpenWRT, as stated in their wiki we need to revert to stock firmware then to Openwrt. I tried many many times with the DDWRT Webif Upgrade section, then with several TFTP servers on both Mac and PC. Nothing worked, and yesterday, following a video and a DDWRT guide :

1. enable ssh on your device
2. dd if=/Users/ced/Desktop/tplink/ArcherC7_V5200628.bin of=tplink.bin skip=257 bs=512
   3 Renamed the stock firmware to ArcherC7v5_tp_recovery.bin
   4 mtd -f ArcherC7v5_tp_recovery.bin fullflash

After i typed the last command (mtd) the rooter rebooted without any confirmation, and was bricked, now it show two led lighted (Internet + Ethernet port 2), nothing is working, if i reboot it , it stay the same, if I try to put it in safe mode (or may be recovery) by keeping pressed Reset while i power on the router, nothing happen...
I tried to connect an ethernet cable to Ethernet Port 2 and scan network, but the only IP detected if the one from the Mac i scan from. Tried set network on Mac on 192.168.0.66/255.255.255.0 but router don't respond to ping, and because there is no recovery mode (failsafe) i can't tftp the firmware to it...

Any help would be greatly appreciated (I don't have JTAG)

If that doesn't succeed (and even if it does, there is a strong chance that its wireless got shot permanently), it's probably game over (from an economical point of view).

Yes, there's never really game over, but anything beyond push-button requires investing into a 3.3V serial console adapter, soldering equipment and/ or spi-nor flashers and soic8 clamps - while there's still the looming danger of your wireless being damaged permanently (lost calibration data), that quickly surpasses the resale value of functional used archer c7 devices (especially considering that the archer c7 range is getting a bit long in the tooth).

Arf,
bad news, but thank you for beeing honest...
if I need to buy another, i will, even if i would have prefered avoid spending another 100 euro in a router which can't even run Tomato, but I would like to understand why it is so difficult to switch from DDWRT to another firmware then... Yesterday, my router was on the 03 november release of DDRWT, and i upgraded it without any problem to the latest version of DDWRT not even needed tftp or anything else, it upgraded from the webif ->upgrade...
And yet each time i tried to revert to factory firmware, or to OpenWRT, it never worked, i tried everything, webif upgrade, tftp on windows emulation, tftp on mac, different tftp softwares, this lead me to make an error while i was trying to revert firmware...
What, are DDWRT devs trying to prevent us to go on other firmwares ? Because i feel this way.

That is way too much for an archer c7, the going price for a new one should be around 60 EUR at the moment (and I wouldn't pay that much for a dated ath79 device as this). Yes, used prices for these are inflated as well (probably even more so, in relation), but I would favour ipq40xx over ath79 these days.

I know, but i live in Morocco, in Casablanca, a big town like Paris, bigger probably, and since they removed from the market any good brand (Netgear, Linksys, etc) it remain only the junk they want us to buy at the price they want us to pay.

I searched during 2 week on internet, calling any shop when i saw a Netgear R7000 or any Tomato compatible router on their webstore, and each time someone answered me on Tel, i got the same answer : "Sorry We don't have Netgear or Linksys router anymore since 2019, do you want a Tenda TP-LInk XX Link or ZZ Link?"
I also tried to order it from Europe, or USA, but I haven't found someone to send it in Morocco + Customs problems, the custom officer could make me pay 1% fees, nothing (i could have the postman coming home, but with covid 19 not sure), or they could keep it or confiscate it upon their mood...

But this is another problem, to be honest i went on DDWRT by disappointment, during 15 years i was on Tomato, and i never never wanted to try anything else, at first when i received my WRT54GL, i tried DDWRT, OpenWRT, and Tomato, DDWRT was too slow for the capacity of the WRT54GL, and missed many Tomato functionalities, OpenWRT was amazing completely customizable but too complicated for someone like me, and I found Tomato light, simple and easy to understand, interface was light, and very handy.
Exactly what i needed...
So when i went to Fibre, i tried to bridge the GPON to my old WRT54GL (may he rest in peace even if he is still perfectly alive), but the WRT54GL don't have the capacity to manage 100Mb ... it worked but i got only 30Mo/15Mo instead of 100Mo / 50 Mo...

xxxxxxxxxxxxxxxxxxxxxx

A weird thing happened when i was trying to revive my Archer C7, I had Wireshark recording on the EN1 interface (ethernet - everything else was disabled), and i saw an unusual IP : 169.254.255.255. I tried to ping it and it responded.
Could it be the Archer C7 which try to call for help ? I tried ssh/ftp but connection is not permitted.

Edit : is ipq40xx is the new router component ? the one to prefer over the other Atheros/Broadcom etc?

@fced - this isn't DD-WRT issue. This is issue when you're trying to switch from any -WRT to other -WRT.

That's why easiest is to migrate from DD-WRT to Stock and then from Stock to OpenWRT.

In past i was able to recover one TL-WDR4300 from OpenWRT with forgotten password configured as dumb AP and to reset it's settings.

This is described here:

So try to connect router directly to computer and use command as "sudo tcpdump -Ani en0" to see how router trying to contact you. Maybe IPs are wrong? Because device is 192.168.0.86.

The openwrt wiki instructions were for the archer c7 v2, while the archer c7 v5 has a different layout in its factory bin files.

Factory firmware for archer c7 v2 starts at 0x20200

image1002×441 44.4 KB

Whereas the factory firmware for the archer c7 v5 starts somewhere at 0x12a36. I guess the stripping process went wrong here.

image1100×491 25.7 KB

See this comment.

Hello,
I tried sudo tcpdump -Ani en0 (it remind me what WIreshark do), and i haven't see any trace of another IP than the one assigned to my eth0 interface.
Sooner while I was doing the same with Wireshark, i notified a weird IP (169.254.255.255), so i decided to try to ping it and it answered (i have set eth0 Ip adress to : 169.254.255.254)...
Could it be the router which is responding on this ip?

I don't know how the dd-wrt partitions are but it seems likely that fullflash is going to be the whole chip, including the bootloader. Which means that you have clobbered the bootloader. That would be quite bad-- the only way to recover from that is to use a SPI programmer to write a correct bootloader directly to the flash chip. And hope that the ART partition at the end of the chip is still OK, because that is unique to each unit there's no way to get a copy of it if you don't have a backup.

If that is the case you're going to need a CH341 or similar board and soldering skills to remove the flash chip from the router.

@fced - you must make a static IP like 192.168.0.66 before run that tcpdump command.

Apologies i thought it was obvious, i forgot to specify it, of course while I was recording the connection between my computer EN0 and the router (supposedly on 192.168.0.86), i have set my computer ETH0 interface on IP 192.168.0.66, and only after, when i detected 169.254.255.255 IP i decided to set my computer ETH0 on 169.254.255.254 to ping 169.254.255.255... I wonder which device answere my ping (only the bricked Archer C7 v5 was connected, nothing else, and all other network interface were completely disabled)
This Archer C7 v5 is dead, as said @mk24 without a serial adapter or Spi programmer (chinese for me until now;) i think i will not be able to unbrick it...
@mk24 it could be a solution, but probably more expensive than buying another Archer C7 V5., those are specific tools i am not even sure to found them here, and as you said there is no guarantee (if the ART partition is damaged)...

For now, i got a new Archer C7 v5 still on its firmware not even upgraded, but after what happened I am a bit afraid to upgrade it with something else than the Webif -> Upgrade.

I have now two interrogation (i created a topic for them but no answer) :

1/ How do we install OpenWRT on a Archer C7 v5 SAFELY (here it is said I can install it from Router web interface : https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500#tab__archer_c7_20
and here https://openwrt.org/docs/guide-user/installation/installation_methods/see_git-commit?dataflt[Versions*~]=v5&dataflt[Model*~]=archer+c7 it is said we need tftp to install OpenWRT. Could i install OpenWRT from TP-Link Archer C7 v5 Web upgrade(factory firmware 20190726) safely and if not, is TFTP upgrade SAFE?

2/ If I install OpenWRT, will it be possible to switch at any time to DDWRT (if i need it) or by reverting factory firmware then to DDWRT ?

Also, I would like to understand why I was not able to remove DDWRT and reinstall a TP-Link factory firmware ? Is this normal, is it the same for any router /or Only Archer C7 / or was my router boot or flash damaged (I have found many request on google and tutorials from peoples who got trouble to revert factory firmware after installing DDWRT/OpenWRT on Archer C7 v2/v5

Blockquote[quote="fced, post:11, topic:79367"]
by reverting factory firmware
[/quote]

The stripped factory firmware is nowhere available on the internet, and the instructions mentioned in the wiki is for V2, not v5.

So without a stripped firmware it is not possible to revert to factory firmware, i would have appreciated someone on DDRWT forum had the honesty to say it... It would have spared me many time trying to revert and the price of a router...
Could this help to strip an ARcher C7 v5 firmware ?
https://www.refirmlabs.com/reverse-engineering-my-routers-firmware-with-binwalk/
I trained with it and binwalk yesterday but at some time something went wrong i got a "corrupted" message when i tryed to unlzma image.lzma.

A stripped factory firmware is not always required, it is necessary when the tftp/webui doesn't allow you to flash the factory firmware since the factory firmware has the specially identifiable header which doesn't match with what is expected. Does occur for some people who faced difficulty with c7 v2 some years back and a kind soul stripped a factory firmware and many people were able to revert the v2 back to stock.

So stripping is removing that bootloader and the header(I think the header here means the safeloader of tp-link which isn't present in the openwrt sysupgrade firmware. Please correct me if I am wrong.) from the factory firmware so that it can be flashed by the tftp while bypassing the header checks of the tftp flasher. @mk24 is an expert in this and I learnt a lot from this guru. (Please correct the mistakes I have made, I have not fully (and correctly) understood the nuances of openwrt with routers. I am a complete n00b)

The website is telling you to isolate the kernel and bootloader separately for analysis, which we don't need at all. We need to delete the bootloader and excess stuff from the TP-Link stock factory firmware. The wiki shows the correct procedure but the values of bs and skip are totally incompatible with the v5. Those values are for v2 and we need to change it for v5. Simply put, the stock firmware for v5 is drastically different in the partition layout and sizes when compared to the v2.(and I have seen that the factory stock firmware for the v5 changes in its partition sizes with each firmware version(190726 is different from the 180425)

So all we have to do is to do the same stripping process with appropriate values for the bs and skip attributes; for each stock firmware version. We need help from a dev who can give a clarity on what values to choose for the stripping process.

Thank you, this was very interesting, at least now i understand.

I searched Archer C7 v5 stripped factory firmware because two week after i installed DDWRT i wanted to give a try to OpenWRT. I tried then to revert to factory firmware (from webif upgrade / tftp) but nothing worked, each time after the upgrade, the router was rebooting but on DDWRT.
Two days ago, i upgraded From DDWRT 03/11 to latest version and it worked perfectly, so the problem (to me, with my understanding) was caused by DDWRT, something in DDWRT prevent me to install anything else than DDWRT...

PS : May be i should create a new topic, in the appropriate section of the forum for better chance to get an answer...

I asked on DDWRT Forum :
How peoples which are stripping firmwares for v2 are doing to get the good values for :

Code:
dd if=archer-c7.bin of=uImage bs=1 skip=78448 count=1088572

and for

Code:
mtd -r write ArcherC7v5_tp_recovery.bin fullflash (or linux/or something else there is several values here)

We will see if they answer, some peoples, are probably better devs than us (i am graphic designer with basic - very basic knowledge of coding) but they don't share infos easily, or when they share it, they are not the best teachers.

Edit : I also asked on TP-Link forum : https://community.tp-link.com/en/home/forum/topic/237348?page=1
And to a developper who published a tutorial to unbrick the Archer C7...