Bricked TP-Link Archer C6 V2 (US)

Hello, I have a TP-Link Archer C6 V2 (US) and I flashed OpenWRT custom firmware on it since the stock firmware took too long to log into my PPPoE profile. I did that successfully but the custom firmware limited my wireless speeds by 50% for some reason and so here I made the mistake of trying to flash the stock firmware back directly from OpenWRT and my router is now completely bricked, it does not boot loop or anything like that but the power LED stays on. It does power on but does not output any IP address. TFTPD does not pick a log from the router as I suspect the custom firmware completely wiped the previous recovery methods. Watching a couple of videos on youtube indicates that I can use a TTL to USB CP2102 module to directly connect to the router but I do not know how to get it to work. I have purchased said module. Also, the US version has different commands for recovery and the guide on OpenWRT is really brief, presumably for people who are already well experienced in dealing with such issues and I'm basically a novice. If anyone could please help me fix my router model, I'd be extremely grateful. The router is in good condition and I do not want to buy another one yet. Please help me if you can.

If that would be true, the CP2102 won't help.

TFTP recovery attempts are often blocked by the firewall, on the host running the TFTPd.


Does the router enter TFTP recovery mode? After turning the power on with the reset button held down, and keeping it held down for a time, the lights should change so the WPS light (two arrows pointing around in a circle) is the only one lit.

If that happens, the router should pull in the stock firmware file, if your TFTP server is working.

Recovery methods using the serial port also require a working TFTP server.

I'm not sure how to verify that but It does show an LED light for about 3-5 seconds with a lock icon when I hold the reset button while turning the router on but to no avail. No file ever gets transferred and I cannot see anything in the TFTPD64 log. Also, I have the 4 header pin holes in my router board for the serial connection but haven't seen any similar boards online to figure out RX, TX and GND pins. Today when I checked for the ethernet status in the control panel, it reported a default Autoconfiguration IPv4 Address of and Subnet Mask

Please ask me any and everything you may think could help you understand my issue better.

Thank you for your time.


Is there anything at this point you could suggest to help me?
I am regretting messing around with custom firmware but as mentioned it seemed necessary at the time.

Any and all of your input is appreciated.

I'd start by retrying the TFTP recovery, and if it fails, fire up wireshark, and listen to the traffic.

The TFTP recovery method has not worked for me yet. I don't even remember how many times I've tried to do it. Followed instructions to the letter. I've tried,,, and but never got a progress bar or log of any file transfer. I tried the TFTP client method but got error code 5 saying "CreateFile access denied". I used Wireshark to catch traffic but nothing.

TFTP client is irrelevant, unless you use it from another host, to verify the TFTP server.

Check the firewall, sniff the traffic, using wireshark.

If wireshark comes back with zero, you'll need a flash writer to recover the device.

How do I do this???

Is there a brute-force method that has a high probability of working? I can send a little bit of money if it requires additional hardware for this but not more than the point where it negates the value of the router at this point.

To see what’s going on you’re going to need to connect the uart / serial console.

There’s a guide in the Serial section of the device page. You can solder leads to the test points if you have the skills, or just find a way to hold them on for long enough to see whether uboot is alive. Clothes pegs sometimes work, or electrical tape can in a pinch.

TX to RX, RX to TX, GND to GND and don’t connect the 3.3v.

Once you have uart access you can see whether the boot loader is alive. If it is you can push tftp to start. If not, then jtag or flashing the nand with a clip

Is the NAND FLASHER in the picture what I need?
it cost about USD 10 or INR 800. I can get it if this has a higher chance of recovering the router.

If you want to prepare for the worst, get a nand clip straight away, and skip all the steps in between.

You'll need a nand dump too, though, to write back to the chip.

could you show me a picture or share a link so I can get the right equipment. Thanks in advance.

Wireshark :yum:

1 Like

Mmm, DYAC :expressionless:

1 Like

I d say buy yourself another router and be done with it. If you start investing in tools you're not accustomed with you'll just end up speding more money and time with the same end result - you'll need a new device

I don't mind buying tools, I love tools (sort of a geek).

The thing is I can't live with the fact that I ruined something that was working just fine. I like fixing things. I've only bought the serial TTL - USB module so far. Plus tools always come in handy.

Off-topic, but I used to mess around with my android devices all the time, custom ROMs, Kernels and stuff like that but for some reason, this router is a real challenge.

I will just fix the router, sell it, and use the money to buy a better one.

You can get an SOIC clamp like this e.g.. That should allow you to dump the NOR flash and replace its contents. No soldering or serial access required if the latter isn't working out for you (TP-Links are always iffy for me on that front).

Would this be fine?

Once I do get my hands on this, would you mind walking me through this? Frankly, this looks a bit intimidating but I am prepared to go as far as possible to get my router working again.

Thanks for your input and time, much appreciated.

Yes, that looks fine. There's lots of sellers for these things. I know it looks a bit intimidating, I had to look up quite some stuff myself too before I got it working. Ground rule is you do not power the device; the CH341a programmer will power the flash chip so it can read it out. So anything you do with it needs to be done without the router powered up (no power supply attached).

I found this to be really helpful as to how to connect the clamp etc. It will take a bit of trial and error. Any read-out you perform, perform it multiple times to be sure the clamp is connected soundly to the chip, and checksum the resulting dumps to make sure the hash is identical between them. Only after you have run a few identical dumps you can start looking at writing back a modified image.