Debrick TP-Link RE650 v1 using Raspberry Pi

Installing and Using OpenWrt
1

I bricked my RE650 v1 by flashing the incorrect image from the Openwrt GUI after overriding various warnings from the GUI.

Once bricked, the device simply flashes few seconds blue, tint of red and blue and cycles. Ethernet port does not wake up.

After much trial and error below is what worked for me to debrick.

WARNING: This required opening the chassis of RE650, which is a HIGH VOLTAGE device. * Risk of deadly electrical shock. Please read all warnings on https://openwrt.org/toh/tp-link/re650_v1#opening_the_case and do not make any attempt to follow the below. Never touch or walk near anything connected to a tampered-with device. Be mindful of surroundings and other people.

Prerequisites

  1. T6 Torx screwdriver
  2. Flat head screwdriver/credit card
  3. Basic soldering skills
  4. Soldering iron
  5. Solder wire
  6. Three jumper wires with female ends on one side
  7. Raspberry Pi; any version down to zero should work, I used Pi 2
  8. A second computer to SSH into the Raspberry Pi from - as safety precaution to enable all fingers to be on very safe distance from the tampered with high voltage device (RE650) and its connections

Disassembly

  1. Physically removed all devices, power plugs from power circuit and sockets
  2. Removed the torx screws on the RE650
  3. Used a flat head screwdriver, credit card or similar to pry open up the chassis

Establish hardware port connections

  1. Soldered 3 jumper wires as guided https://openwrt.org/toh/tp-link/re650_v1#serial
  2. Attached the other end of the wires to Raspberry Pi GND (6) and UART pins (8/GPIO14,10/GPIO15)
  3. Connected the RE650 and Raspberry with the Ethernet ports/cable
  4. "Soft" reattached the RE650 chassis cover for protective purpose (no screws)

Create TFTP server

  1. In a safe environment, powered on the RE650 and Raspberry Pi
  2. Opened a terminal and SSH'd into the Raspberry Pi
  3. Created a directory /tftpboot on the Pi
    sudo mkdir /tftpboot
  4. Downloaded the device specific initramfs and sysupgrade images from https://downloads.openwrt.org/releases/23.05.2/targets/ramips/mt7621/
  5. Renamed the initramfs file to init.bin and the sysupdate file to sysup.bin
  6. Placed the files in /tftpboot and opened all permissions
    sudo chown -R nobody /tftpboot
    sudo chmod -R a+rx /tftpboot
  7. Started tftp server
    sudo dnsmasq -d --port=0 --enable-tftp –tftp-root=/tftpboot

Access bootloader and flash

  1. Opened a second terminal and SSH'd into the Raspberry Pi
  2. Installed minicom on the Pi
    sudo apt get minicom
  3. Verified that the serial device is detected by the PI
    sudo ls /dev/tty*
  4. Enabled access to the serial device
    sudo chmod a+rw /dev/ttyAMA0
  5. Connected to the bootloader
    minicom -D/dev/ttyAMA0 -b57600
  6. Data output from router is seen, selected menu option by clicking "1" - Load system code to SDRAM via TFTP
  7. Let router keep its default IP address, set server IP to IP of Raspberry ETH0 interface
  8. Selected init.bin as file to upload
  9. Waited until upload finished and router autorebooted. Pressed enter to drop to shell.
  10. Went back to first terminal and shut down (ctl-c) the TFTP server
  11. Uploaded file from Raspberry to Router ip
    scp /tftpboot/sysup.bin root@192.168.0.1:/tmp
  12. Went back to minicom window (router shell) and flashed it
    sysupgrade -v /tmp/sysup.bin
  13. Waited until upload finished and router autorebooted.
  14. Re650 was now debricked and I could access it as any initial openwrt installation
  15. Went back to Raspberry shell and deleted the /tftpboot directory
cd /tftpboot
rm *.bin
cd ..
rmdir /tftpboot

Pitfalls

  1. TFTP and SCP fails if the Router and the Raspberry ETH0 interface are not on the same subnet. The router defaulted to 192.168.0.254 whereas my Raspberry ETH0 was set as 192.168.1.xxx; Used ip addr to monitor in each device's shell their IP. I updated the routers LAN IP through vi /etc/config/network followed by service network restart to effect the change. I updated the Raspberry eth0 ip through sudo nano /etc/dhcpcd.conf and played with the eth0 section and the lines...
    #profile static_eth0
    #static ip_address=192.168.1.23/24
    ... in order to set my Raspberry eth0 ip as desired followed by sudo ifconfig eth0 down and sudo ifconfig eth0 up to effect the change.
    My Raspberry froze up a couple of times because its wifi ip and eth0 ip/subnet seemed to run into conflict. Simply unplugged the ethernet cable and updated the ips properly and replugged the cable unfroze the Raspberry and reenabled router comm over ethernet.
  2. Dont waste time trying to send image over serial (kermit). Trial and error where each trial takes 25 minutes (57600 baud) is not fun. And I didnt get it to work probably because I am unsure which image stripped or unstripped to go with. Just use TFTP. Faster and easier. Use serial for the only purpose of issuing shell commands.
  3. I tried setting up a TFTP server by installing to Raspberry the packages xinetd tftpd tftp and configuring it. That did not work. Probably some configuration/access issue but the router didnt give much hints to what was the problem and I was too lazy to look for logs. My TFTP connection only began to work after using the dnsmasq command described above - it seems dnsmasq provides built-in tftp read-only support, which seemed sufficient.

Screenshot from 2024-01-31 17-57-19
Screenshot from 2024-01-31 17-57-19912×553 47.3 KB

AB4BDFB3-55C3-449E-8C6C-03EFE3A28A77
AB4BDFB3-55C3-449E-8C6C-03EFE3A28A771920×2560 328 KB

2 Likes