I have a TP-Link Archer MR200(EU)v1 that's totally bricked. Tried to install an old LEDE-sysupgrade file to it about a year ago. The only thing that happens when I boot it is that some of the LEDs are lit for a while. Doesn't send any packets when capturing on the LAN ports with wireshark.
Now I've managed to set up a rpi with flashrom and tried several different .bin-files trying to get it back in working state.
Figured out that I need an image of the exact size due to the error message; "Error: Image size (8126464 B) doesn't match the flash chip's size (8388608 B)!".
Have tried to extract bootloader etc from factory firmware, appended bytes to the openwrt image to get the correct size but none of these images seems to work when I flash them.
Can anyone here provide me with and image of the correct size? Preferably the latest working openwrt for this router. Or complete instructions on how to resolve this.
What you need is a full firmware dump. But you will lose "rom", "romfile" and "radio" partition. They contain the factory settings for your specific router. Try to backup/dump your current bricked rom first. Normally the 3 mentioned partitions wont be touched.
Unfortunately I do not have a full firmware dump available. The router was bricked when I tried to flash LEDE to it. I do have a backup of the bricked rom but are not able to get anything from it that makes the router boot. I suspect that I might have managed to overwrite all partitions completely.
I've tried flashing the OEM firmware directly using SOC-8 cable. I use a rpi with flashrom and the only output I get is that the OEM firmware binary is not the same size as the ROM-chip.
I've made some progress by getting the bootloader from the OEM firmware and combining it with latest version of OpenWRT for this router. Expanding the file with 'dd' by adding a 0 to the last byte so that it fits the size of my ROM-chip.
After this the router boots and are able to download OEM firmware file from TFTP. Unfortunately after the firmware has been uploaded I loose all contact with the router and it seems to be stuck in boot loop.
I can reproduce this behaviour but aren't able to get any access to the router.
You are in bootloop because you dont have the last 3 partition, happened to me. the 3 partition starts at 0x7d0000 till 0x7fffff. It is looking for the wireless driver/firmware which it didn't find, thats why it loops from kernel panic. Just google for MR200 firmware dump and start from there, I found Heinz dump which saved my router, just remember to edit the correct MAC address for your router later. If I remembered correctly the 3 last partition on a Archer C2V1 are identical and full firmware dumps can also be found via google.
use hex editing tool to edit the MAC at 0x007DF100. there is also something similar at 0x007DF200 but I have not yet tried to figure what it is for maybe it is for wifi or something else.
The Heinz dump I used is just filled with zeroes at the offset for MAC. See attached screenshot. When looking at the webgui of the router MAC for 4G/LTE is represented as 00:00:00:00:00:01.
Hi, as you can see from the screenshot it's filled with 0x00. After I've edited the file I guess the tftp-install method or writing directly to ROM must be used? The file I'm editing is the Heinz firmware dump for MR200. Correct?
can you send link to the firmware which you used for flash? Like I said earlier the fill/erase should not be 0x00 but 0xff. If you are flashing using flashrom you must include the last 3 partition starting from 0x7d0000. after flashing use only tftpboot flash, this will avoid writing/erasing the last 3 partition. you can refer to https://wiki.openwrt.org/toh/tp-link/archer-mr200 for guide. latest firmware is https://downloads.openwrt.org/releases/18.06.1/targets/ramips/mt7620/openwrt-18.06.1-ramips-mt7620-ArcherMR200-squashfs-sysupgrade.bin
When you upload file from tftpboot read carefully the instructions. it must include bootloader (0x20000 bytes) joined by the sysupgrade file. if you are unable to do it let me know, I will make the correct file for you.
as another option you can use the working dump as base, copy the sysupgrade with a hexeditor and paste into the working dump at 0x20000. use this new file to flash with flashrom.
I'm not able to find the link where I downloaded the dump. If I remember correctly it was from a forum thread on https://tplinkforum.pl/.
The dump you provided works great. I was able to change the MAC address but for some reason the change one was attached to the LAN and WIFI interface (see screenshot). The one on 3G/4G I do not know where it came from. The label on the backside says: 3C:46:D8:DA:4F:5F.
I've done several attempts in creating a working openwrt binary for my MR200 but I'm not able to pull it off. Would be great if you're able to provide me with a working one. I guess I'm failing in grabbing the bootloader from a stock ROM.
there's no need to change 3g/4g WAN MAC address. You have a separate modem which is still untouched so the MAC is untouched as well. The MAC label on your router is for LAN. I think your router is already ok.
