Bricked TP-Link TL-WPA8631P v3

raphidae · February 13, 2023, 5:50pm

Hi, I thought I'd try OpenWRT on this device (a powerline extender), I updated through the web interface and the device went into a boot loop:

[    2.729693] /dev/root: Can't open blockdev
[    2.737948] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[    2.752883] Please append a correct "root=" boot option; here are the available partitions:
[    2.769535] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[    2.786002] Rebooting in 1 seconds..

I'm sure this has something to do with an incompatible filesystem layout. But now I'm trying to debrick it, and this isn't going so well either.

I opened up the device, soldered a header for serial and I have a working serial connection for U-boot. So far, so good. But here I'm stuck as there don't seem to be any instructions what to do from here.

Every search I do points me to this page: https://openwrt.org/docs/guide-user/installation/recovery_methods/u-boot_tftp_recovery but unless I'm going blind there's no links on there that point to information about what to do.

I tried downloading the latest firmware from TP-link and load it with tftpboot, this transfers OK, but then it won't boot. The same happens when I do this with the OpenWRT firmware:

U-Boot 1.1.3 (Mar 30 2022 - 14:28:15)
MT7621 # printenv
bootcmd=tftp
bootdelay=1
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=192.168.0.254
serverip=192.168.0.184
stdin=serial
stdout=serial
stderr=serial

Environment size: 153/4092 bytes
MT7621 # tftpboot
 netboot_common, argc= 1 
 NetTxPacket = 0x83FE5400 
 KSEG1ADDR(NetTxPacket) = 0xA3FE5400 
 NetLoop,call eth_halt ! 
 NetLoop,call eth_init ! 
Trying Eth0 (10/100-M)
 Waitting for RX_DMA_BUSY status Start... done

 ETH_STATE_ACTIVE!! 
*** Warning: no boot file name; using 'test.bin'
TFTP from server 192.168.0.184; our IP address is 192.168.0.254
Filename 'test.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
Got ARP REPLY, set server/gtwy eth addr (54:ee:75:51:ab:50)
Got it
#################################################################
[...]
         ##############################################
done
Bytes transferred = 8554153 (8286a9 hex)
NetBootFileXferSize= 008286a9
MT7621 # bootm
## Booting image at 80100000 ...
text base: ffffffff
entry point: ffffffff
   Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover

Because I'm getting the same LZMA error for both the original firmware as well as the OpenWRT firmware I'm suspecting that maybe the file format is not what it is expecting? But if that's the case, what is it expecting?

I do have an USB flasher with a clip for SOIC8 packages, but it has been 20 years since I flashed anything, and it seems that for the direct flash route there seems to be even less information about how to do this. Plus I'm sure I can't just flash the binary file to the chip, right?

Please help me out here, thanks!

raphidae · February 15, 2023, 10:12am

Noone has any advice?

d687r02j8g · February 15, 2023, 10:35am

Did you make a note of the firmware your device was running prior to flashing openwrt?

Devices running these early OEM firmware versions MUST first be upgraded to a later OEM version before attempting to install OpenWRT, as the older flash partition layouts are incompatible with these images and you could risk bricking your device.
3.0.0 Build 20200314 Rel.3608
3.0.0 Build 20200508 Rel.41814

raphidae · February 15, 2023, 11:03am

I didn't have to as I upgraded to the latest version, especially because of the notice. The version I flashed was 3.0.1.

I'm guessing the latest firmware made incompatible changes to the partitions again.

d687r02j8g · February 15, 2023, 11:17am

Are you restoring the same stock version you flashed prior to trying to flash openwrt?

raphidae · February 15, 2023, 11:29am

Yes, the exact same file.

Alpha1096 · February 15, 2023, 12:49pm

Are you certain the device was flashed successfully to 3.0.1 prior to openwrt factory.bin file install?

d687r02j8g · February 15, 2023, 12:50pm

Did you prepare the OEM firmware using tplink-safeloader as instructed in the wiki?

raphidae · February 16, 2023, 1:59pm

No, I didn't use tplink-safeloader. It didn't seem to be needed when debricking, just when upgrading a working OpenWRT installation.

And I didn't consider it, as I have tried to use the "sysupgrade" OpenWRT binary with tftpboot/bootm (openwrt-22.03.3-ramips-mt7621-tplink_tl-wpa8631p-v3-squashfs-sysupgrade.bin) and it got me the same error:

U-Boot 1.1.3 (Mar 30 2022 - 14:28:15)
MT7621 # tftpboot
 netboot_common, argc= 1 
 NetTxPacket = 0x83FE5400 
 KSEG1ADDR(NetTxPacket) = 0xA3FE5400 
 NetLoop,call eth_halt ! 
 NetLoop,call eth_init ! 
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done
 ETH_STATE_ACTIVE!! 
TFTP from server 192.168.0.184; our IP address is 192.168.0.254
Filename 'test.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
T Got ARP REPLY, set server/gtwy eth addr (54:ee:75:51:ab:50)
Got it
#################################################################
[...]
         #############################################
done
Bytes transferred = 6881886 (69025e hex)
NetBootFileXferSize= 0069025e
MT7621 # bootm
## Booting image at 80100000 ...
text base: 80001000
entry point: 80001000
   Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover

<reboot>

Theoretically, would using tplink-safeloader on the OEM firmware get me something that would boot when the sysupgrade binary doesn't? What does tplink-safeloader do to the firmware?

raphidae · February 16, 2023, 2:30pm

I want to try the tplink-safeloader version of the OEM firmware, however I see: "The Image Builder runs only in 64-bit Linux.". The only systems I have available are BSD and Windows.

Could someone run this utility on the binary? It'd save me setting up a linux install just to run this utility on the firmware. The firmware is at https://static.tp-link.com/upload/firmware/2022/202204/20220420/TL-WPA8631P(EU)_V3_220330.zip

raphidae · February 16, 2023, 2:31pm

Yes, I rebooted and checked the version.

d687r02j8g · February 16, 2023, 2:47pm

I looked into it and it looks as though safeloader converts a stock image to a sysupgrade compatible file, so its easier to move to stock from openwrt. There is a website which converts the images: https://argsnd.github.io/tp-link-stock-firmware-converter/index.html

I'm not 100% sure the safeloader will help.

Can you try the tftpboot again but try

tftp ${loadaddr}

raphidae · February 16, 2023, 2:58pm

I tried that already, it doesn't make a difference. I'll try the online safeloader and see what happens.

Also, I tried the openwrt-22.03.3-ramips-mt7621-tplink_tl-wpa8631p-v3-initramfs-kernel.bin file, and this DOES boot fine. When trying to flash the OpenWRT firmware to the device this works, but results in the same boot loop ("/dev/root: Can't open blockdev").

I'm assuming OpenWRT is just not compatible with the latest 3.0.1 firmware.

d687r02j8g · February 16, 2023, 3:03pm

Interesting!

Once you get to openwrt, use the safeloadered OEM firmware to flash to stock. This should work.

If you get back to stock. I wonder if downgrading to a firmware listed on the wiki page will help to get to openwrt.

raphidae · February 16, 2023, 3:08pm

The wiki does not actually list any firmware that is compatible, it just says "All later releases use the same consistent flash layout documented below and are safe to use.", which may have been true in February 2022, but probably isn't any longer. The link to the commit specifies "EU 'Build [20200927] Rel.61199' or later", so I guess I can try that build when I get it unbricked.

Unfortunately the online safeloader results in a zero-byte file

Any chance you can run the firmware through tplink-safeloader and link it for me?

Also, if the safeloadered OEM firmware doesn't work, I was thinking about somehow extracting the bootloader code and downgrading the U-boot bootloader, since after the upgrade to 3.0.1 it has a date of March 2022 and is probably the reason for the LZMA errors. I'm guessing that when I downgrade to a bootloader from before February 2022 I can then flash an older OEM firmware too.

Do you have any idea how to get the bootloader code from the OEM firmware to use with U-boot option "9: Load Boot Loader code then write to Flash via TFTP. "? I would guess getting 128kb out of the binary, but where to start?

d687r02j8g · February 16, 2023, 3:55pm

Yeah was just thinking one of the versions it says explicitly.

I compiled the binary but it says no board specified. I looked at the source and it has specific boards it supports. Doesn't look like TL-WPA8631P v3 is mentioned in the source

Do you have any idea how to get the bootloader code from the OEM firmware to use with U-boot option "9: Load Boot Loader code then write to Flash via TFTP. "? I would guess getting 128kb out of the binary, but where to start?

binwalk had this to say

binwalk wpa8631pv3_eu-up-ver3-0-1-P1-20220330-rel52768-APPLC.bin                                                                                                         15:51:30

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
80420         0x13A24         U-Boot version string, "U-Boot 1.1.3 (Mar 30 2022 - 14:28:15)"
119317        0x1D215         TP-Link firmware header, firmware version: 0.0.0, image version: "", product ID: 0x0, product version: 0, kernel load address: 0x0, kernel entry point: 0x100081, kernel offset: 0, kernel length: 512, rootfs offset: 3298635, rootfs length: 0, bootloader offset: 0, bootloader length: 0
119829        0x1D415         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 8525632 bytes
3418465       0x342961        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4004896 bytes, 907 inodes, blocksize: 262144 bytes, created: 2022-03-30 06:39:27

edit: so perhaps

dd if=wpa8631pv3_eu-up-ver3-0-1-P1-20220330-rel52768-APPLC.bin of=uboot.bin bs=1 count=80420 skip=0

I would be careful writing uboot though. You might completely brick your device and end up having to dust off your SOIC8

raphidae · February 16, 2023, 4:17pm

Well, for all intents and purposes the device is already completely bricked. So I'll march on, I can always give up and scrap it later

raphidae · February 16, 2023, 4:38pm

OK, so that didn't work

So, on to flashing the chip directly. Unfortunately there seems to be even less information about how to do this. flashrom is fine, but what to flash? Surely I cannot just flash the OEM firmware binary?

d687r02j8g · February 16, 2023, 4:48pm

binwalk wpa8631pv3_eu-up-ver3-0-0-P1-20210514-rel45003-APPLC.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
80420         0x13A24         U-Boot version string, "U-Boot 1.1.3 (May 14 2021 - 12:17:34)"
119317        0x1D215         TP-Link firmware header, firmware version: 0.0.0, image version: "", product ID: 0x0, product version: 0, kernel load address: 0x0, kernel entry point: 0x100081, kernel offset: 0, kernel length: 512, rootfs offset: 3296626, rootfs length: 0, bootloader offset: 0, bootloader length: 0
119829        0x1D415         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 8525632 bytes
3416456       0x342188        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3998620 bytes, 907 inodes, blocksize: 262144 bytes, created: 2021-05-14 04:30:02

d687r02j8g · February 16, 2023, 4:54pm

I've seen people on the forum ask for full flash dumps from the same device, to recover their own devices.

Can you post the full log after you flash openwrt from the uboot kernel booted system?