Bricked TP-Link MR200(EU)v1

Thank you, I'll give it a try.

Hi @gurangax,

Thank you very much for the openwrt binary. Works like a charm.

One question; Do you know if it's possible to configure the modem to bridge the IP-address directly to usb0 (wan) in openwrt? I would like to avoid double NAT. Read on openwrt wiki about setting the ip-address of the modem to 192.168.225.100 (some kind of dmz solution?) but still it doesn't work.

Sorry can't help you with this. Currently I am using a different modem (ME909S-120), as my original modem is broken. But try this archieved link maybe will help you.
https://forum.archive.openwrt.org/viewtopic.php?id=64293&p=3

Does anyone have expierence and/or OEM firmware dumps for MR200(EU)v2/v3?

Binary firmware offsets for v1 and v2 OEM images look identical, so I gave the v1 image a shot...

I managed to install the 18.06.2 image for v1 on MR200v2, LEDs looked OK, 192.168.1.1 showed up in nmap (i.e. ARP worked) but no ports were open - tried telnet, ssh, http.

I tried to revert to the OEM fw using tftp, but after that, the device would only blink one of the signal strength LEDs, and it's not responding to pings ...

Will try to connect serial tmrw to see how badly I bricked it...

The serial terminal should show if you have bricked it or not.

1 Like

Hi, i just debricked my router and amended the Debricking instructions on https://openwrt.org/toh/tp-link/archer-mr200

Hi there,
can someone give me a hint ? After succesfull switch to Openwrt, I tried to upgrade via sysupgrade --force to the latest version I compiled myself and ... I bricked it. I see following on the Serial console, however I'm not sure I can still repair it without programmer ? Bootloader seems to be ok....but seems I'm not able to get TFTP / network connection working (no network activity indicated by LED nor by connected devices LED). Any ideas please ? Also I can get to the console and eg. use tftp etc. but no idea what to write where (eg. on which memory adress, which file etc.), not sure even network interfaces actually works ?

U-Boot 1.1.3 (Aug 31 2015 - 16:32:16)

Board: Ralink APSoC DRAM:  64 MB
relocate_code Pointer at: 83fb0000
enable ephy clock...done. rf reg 29 = 5
SSC disabled.
------------------
 Archer C2 v1.0.0
------------------
spi_wait_nsec: 29
spi device id: ef 40 17 0 0 (40170000)
find flash: W25Q64BV
============================================
Ralink UBoot Version: 4.1.2.0
--------------------------------------------
ASIC 7620_MP (Port5<->GigaSW)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Aug 31 2015  Time:16:32:16
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 580 MHZ ####
 estimate memory size =64 Mbytes
..................................................
starting recovery...
TODO, Read MAC Address from Flash

rt_rtl8367_init(1363):Begin
Wait for RTL8367RB Ready
....................................................................................................
Timeout

 netboot_common, argc= 3

 NetTxPacket = 0x83FE5800

 KSEG1ADDR(NetTxPacket) = 0xA3FE5800

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
TFTP from server 192.168.0.66; our IP address is 192.168.0.1
Filename 'ArcherC2V1_tp_recovery.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80060000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
do_bootm:argc=2, addr=0xbc020000
## Booting image at bc020000 ...
   Uncompressing Kernel Image ...

And normal boot print following

U-Boot 1.1.3 (Aug 31 2015 - 16:32:16)

Board: Ralink APSoC DRAM:  64 MB
relocate_code Pointer at: 83fb0000
enable ephy clock...done. rf reg 29 = 5
SSC disabled.
------------------
 Archer C2 v1.0.0
------------------
spi_wait_nsec: 29
spi device id: ef 40 17 0 0 (40170000)
find flash: W25Q64BV
============================================
Ralink UBoot Version: 4.1.2.0
--------------------------------------------
ASIC 7620_MP (Port5<->GigaSW)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Aug 31 2015  Time:16:32:16
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 580 MHZ ####
 estimate memory size =64 Mbytes

continue to starting system.                                                                                                                         0
disableEthForward(1158):disable switch forward...

3: System Boot system code via Flash.(0xbc020000)
do_bootm:argc=2, addr=0xbc020000
## Booting image at bc020000 ...
   Uncompressing Kernel Image ...

Starting kernel ...

[    0.000000] Linux version 4.14.162 (xxxxx@debian) (gcc version 8.3.0 (OpenWrt GCC 8.3.0 r3012+8919-0d1b329914)) #0 Thu Jan 9 17:54:24 2020
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620A ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] MIPS: machine is TP-Link Archer MR200
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] random: get_random_bytes called from start_kernel+0x98/0x4a0 with crng_init=0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16240
[    0.000000] Kernel command line: console=ttyS0,115200 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00063f90
[    0.000000] Readback ErrCtl register=00063f90
[    0.000000] Memory: 58500K/65536K available (3897K kernel code, 186K rwdata, 796K rodata, 1192K init, 212K bss, 7036K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] CPU Clock: 580MHz
[    0.000000] clocksource: systick: mask: 0xffff max_cycles: 0xffff, max_idle_ns: 583261500 ns
[    0.000000] systick: enable autosleep mode
[    0.000000] systick: running - mult: 214748, shift: 32
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000010] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.007588] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.073555] pid_max: default: 32768 minimum: 301
[    0.078316] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.084692] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.098700] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.108258] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.114286] pinctrl core: initialized pinctrl subsystem
[    0.119921] NET: Registered protocol family 16
[    0.608419] PCI host bridge /pcie@10140000 ranges:
[    0.613033]  MEM 0x0000000020000000..0x000000002fffffff
[    0.618084]   IO 0x0000000010160000..0x000000001016ffff
[    0.643661] rt2880_gpio 10000600.gpio: registering 24 gpios
[    0.649058] rt2880_gpio 10000600.gpio: registering 24 irq handlers
[    0.655455] rt2880_gpio 10000638.gpio: registering 16 gpios
[    0.660829] rt2880_gpio 10000638.gpio: registering 16 irq handlers
[    0.667221] rt2880_gpio 10000660.gpio: registering 32 gpios
[    0.672595] rt2880_gpio 10000660.gpio: registering 32 irq handlers
[    0.678970] rt2880_gpio 10000688.gpio: registering 1 gpios
[    0.684260] rt2880_gpio 10000688.gpio: registering 1 irq handlers
[    0.691042] PCI host bridge to bus 0000:00
[    0.694970] pci_bus 0000:00: root bus resource [mem 0x20000000-0x2fffffff]
[    0.701684] pci_bus 0000:00: root bus resource [io  0xffffffff]
[    0.707385] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.713988] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.722144] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    0.731054] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[    0.737420] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[    0.744239] pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x201fffff]
[    0.750773] pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
[    0.757390] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff]
[    0.763964] pci 0000:01:00.1: BAR 0: assigned [mem 0x20100000-0x201fffff]
[    0.770568] pci 0000:00:00.0: PCI bridge to [bus 01]
[    0.775374] pci 0000:00:00.0:   bridge window [mem 0x20000000-0x201fffff]
[    0.788112] clocksource: Switched to clocksource systick
[    0.794552] NET: Registered protocol family 2
[    0.799674] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.806399] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.812632] TCP: Hash tables configured (established 1024 bind 1024)
[    0.818927] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.824553] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.830992] NET: Registered protocol family 1
[    0.838420] rt-timer 10000100.timer: maximum frequency is 1220Hz
[    0.846925] workingset: timestamp_bits=14 max_order=14 bucket_order=0
[    0.860437] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.866039] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.889487] io scheduler noop registered
[    0.893234] io scheduler deadline registered (default)
[    0.899150] gpio-export gpio_export: 1 gpio(s) exported
[    0.904415] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    0.911778] console [ttyS0] disabled
[    0.915233] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 20, base_baud = 2500000) is a Palmchip BK-3103
[    0.924916] console [ttyS0] enabled
[    0.924916] console [ttyS0] enabled
[    0.931949] bootconsole [early0] disabled
[    0.931949] bootconsole [early0] disabled
[    0.946630] spi spi0.0: force spi mode3
[    0.962810] m25p80 spi0.0: s25fl064k (8192 Kbytes)
[    0.967758] 5 fixed-partitions partitions found on MTD device spi0.0
[    0.974260] Creating 5 MTD partitions on "spi0.0":
[    0.979182] 0x000000000000-0x000000020000 : "u-boot"
[    0.985218] 0x000000020000-0x0000007d0000 : "firmware"
[    0.994150] 2 tplink-fw partitions found on MTD device firmware
[    1.000268] Creating 2 MTD partitions on "firmware":
[    1.005347] 0x000000000000-0x0000001907c7 : "kernel"
[    1.011376] 0x0000001907c8-0x0000007b0000 : "rootfs"
[    1.017216] mtd: device 3 (rootfs) set to be root filesystem
[    1.024838] 1 squashfs-split partitions found on MTD device rootfs
[    1.031224] 0x0000007aa000-0x0000007b0000 : "rootfs_data"
[    1.037711] 0x0000007d0000-0x0000007e0000 : "rom"
[    1.043463] 0x0000007e0000-0x0000007f0000 : "romfile"
[    1.049572] 0x0000007f0000-0x000000800000 : "radio"
[    1.056261] libphy: Fixed MDIO Bus: probed
[    1.072360] gsw: setting port4 to ephy mode
[    1.076923] mtk_soc_eth 10100000.ethernet: loaded mt7620 driver
[    1.083700] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[    1.092702] rt2880_wdt 10000120.watchdog: Initialized
[    1.099283] NET: Registered protocol family 10
[    1.108239] Segment Routing with IPv6
[    1.112095] NET: Registered protocol family 17
[    1.116698] 8021q: 802.1Q VLAN Support v1.8
[    1.129249] squashfs: SQUASHFS error: unable to read id index table
[    1.136111] jffs2: Flash size not aligned to erasesize, reducing to 6268KiB
[    1.144684] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000000: 0x7368 instead
[    1.154404] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000004: 0x0808 instead
[    1.164088] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000008: 0x68d0 instead
[    1.173772] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x001c instead
[    1.183455] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000014: 0x0004 instead
[    1.193137] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000018: 0x06c0 instead
[    1.202823] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0000001c: 0x0004 instead
[    1.212506] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000020: 0x07b6 instead
[    1.222189] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000028: 0x8a6a instead
[    1.231872] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000030: 0x8a62 instead
[    1.241546] jffs2: Further such events for this erase block will not be printed
[    1.256614] jffs2: Empty flash at 0x00000038 ends at 0x00000040

So I would be confident, U-Boot don't have Ethernet port working. I wonder if anyone can help me to transfer right firmware over serial from Windows ? Eg. using KERMIT ? So far I naver read about anything like this but seems it's the only option ?

OK, so I gues I'm able to upload right firmware via Serial (using Kermit 95 on Windows 10...)
I just have no idea about the right adresses. If I will upload sysupgrade file, are those the right parameters please ?

deleted, possibly wrong

As mentioned https://forum.archive.openwrt.org/viewtopic.php?id=52625&p=8 for C2 AC750 ? Can I simply download sysupgrade from http://downloads.openwrt.org/releases/19.07.0/targets/ramips/mt7620/openwrt-19.07.0-ramips-mt7620-ArcherMR200-squashfs-sysupgrade.bin and follow this ?

...update...

Following https://git.openwrt.org/?p=openwrt/openwrt.git;a=blobdiff;f=tools/firmware-utils/src/mktplinkfw2.c;h=3ab5c52ec2a3b26f927fe76f63e4a0fc67f35b45;hp=213e6729a48877eaecfbaf8de760b44bf03c699e;hb=c8043137bbd323b1490ae8613eab915ba9c138ee;hpb=190ee7d86b450083fea4236d588d0d88a50e1311 and https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/ramips/dts/ArcherMR200.dts;h=93fb048d49b14564233a465a426e68334b939991;hb=c8043137bbd323b1490ae8613eab915ba9c138ee I'm not sure the values above are correct.

 122 
 123                 partition@0 {
 124                         label = "u-boot";
 125                         reg = <0x0 0x20000>;
 126                         read-only;
 127                 };
 128 
 129                 partition@20000 {
 130                         label = "firmware";
 131                         reg = <0x20000 0x7b0000>;

While sysupgrade file don't have bootloader included, what are the right values please ? The size is probably 0x7b0000, initial adress "after" bootloader is 0x20000 and the address where to load the copied firmware ? I found somewhere else 0x80060000.

loadb 0x80060000

erase tplink 0x20000 0x7b0000
cp.b 0x80060000 0x20000 0x7b0000
bootm

Last update : so update via serial (KERMIT 95 ;-)) ) and sending sysupgrade file above with following settings in the KERMIT was SUCCESFULL.

SET MODEM TYPE DIRECT
SET SPEED 115200
SET CARRIER-WATCH OFF
SET FLOW NONE
SET PARITY NONE
SET CONTROL PREFIX ALL
SEND ROM_SYSUPGRADE.BIN

Somehow KERMIT didn't allow to interrupt booting process using "t" key, so I had to use Putty, connected to Terminal, interupting via "t" key, then closing, connecting again via KERMIT - sending the file and then - finalising via erase, cp etc. Kind of tricky yet was working.

NO IDEA while UBOOT was without Ethernet but it's good to know there is yet KERMIT :wink: Btw, it was possible to download only non-crypt version of Kermit but it was ok... (http://www.columbia.edu/kermit/ftp/trial/k95_21_nocrypto_vbox.exe).

Hope someone will find this useful in case of brick.

Last note - I used ttl USB adapter connecting only GND, RX and TX (RX and TX switched). During the operations I got garbled output - then I found out it was not soldered correctly.

KERMIT SERIAL PORT setttings, terminal VT100 :

U-Boot is supposed to have ethernet working. Change your bootloader. You can get it from tp-link website. BTW load address is 0x80000000

Actually I had original FW from TPLink, not sure why it wasn't there. However it's good to know that there is still recovery option over serial even without network connection.

the bootloader is inside the fw, just need to extract it. BTW the initramfs file is loaded the same way you did to test the firmware without writing to the flash. If I remember it correctly, it is also the default selection for U-Boot in TP-Link GPL code.

That should be helpful to those who have bad bootloader without ethernet, nice find there.

1 Like

@gurangax My bricked MR200 is back, thank you for sharing the information!!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.