Does OpenWRT replace the ENTIRE firmware - Archer C60?

I've got a TP_Link Archer C60 and I need to remove the BIOS chip to flash it because TP_Link won't allow 3rd party BIOS flashing. So, if I flash OpenWRT onto the BIOS chip, does OpenWRT replace every line of code or is there some code (maybe U-Boot) left that will prevent future modding/flashing/updating of the BIOS?


Please do understand that there is no 'BIOS' on mips or arm targets at all, what might partially provide a subset of 'BIOS' functionality (plus very orthogonal functionality) would be the bootloader (mostly u-boot) and the kernel/ DTS. Accordingly there is no "BIOS chip" on the board either, just a generic 8 MB spi-nor flash, which makes up the whole permanent storage of your device. This flash contains (potentially among other things) the r/o bootloader (u-boot), which is never touched by OpenWrt, the corresponding (maybe r/w) bootloader environment, kernel && rootfs && rootfs_data (only these are ever touched by OpenWrt and contain all of the runtime software) and r/o radio calibration data (ART).

So no, OpenWrt does not replace the complete flash contents, it relies on the vendor bootloader (uboot && ubootenv) and radio calibration data (plus eventually optional vendor/ model specific partitions ignored by OpenWrt) to be present and functional. If you know what you're doing, you may be able to build a replacement bootloader (uboot) - depending on your abilities either based on the OEM bootloader or port it over to upstream uboot, but this is a risky process that will involve a lot of experience and tinkering on your side.

1 Like


Thank you for your detailed, thorough and super technical answer. Your answer raises 2 more questions, if I may. I really love this forum, post a question and you get an answer almost instantly.

  1. Assuming that the router has stock firmware on it, complete with the usual OEM backdoors, would it be possible for a hacker to remotely access the router through some backdoor and program some script into the Uboot loader to say, send all pakets to the intended destination AND to his/her server, thus acquiring all passwords and login info? I'm thinking that this weakness of using OEM blobs is exactly like the Intel backdoor ME so even running the most secure Linux offers no protection at all.

  2. A more specific question is OpenWRT on the TP-Link router. If I flash the OpenWRT firmware to my Archer C60 and want to update the firmware later on, by running opkg install updates, will the OEM U-Boot or other OEM blob send a message saying that the file size is wrong or whatever message it sends to prevent third party BIOS flashing?


1: Other than UEFI or ACPI/ SMM, the bootloader on ARM/ mips usually doesn't provide any runtime services - after the handover to the kernel (OEM XOR OpenWrt) its duties are done and it's not longer running. While it's imaginable that someone finds some way to come up with a backdoored resident procedure, this is not very likely on mips/ ARM.

2: The OEM bootloader may have implemented something like secure boot, only booting kernels signed by a particular key - this is device dependent and can't be answered in a generic way. Once OpenWrt is installed, the bootloader is typically never touched again (not updated, not modified), so it unlikely to suddenly gain unwanted 'features' - reverting to OEM firmwares/ updating OEM firmwares however to pose this potential threat.

1 Like