Dump of Archer C50 v4 Flash Chip?

Hey guys,
soo i did something bad. I hard bricked my Archer C50 v4 by flashing the firmware I made (like it is written in the git commit) directly to the flash chip via spi over a Raspberry Pi. I misinterpreted the wiki entry for the Archer c50 that says the recovery mode just writes the firmware starting from address zero to the flash chip. I guess this was meant for the Archer c50 v1 and not the v4? Anyway now it is completely dead (!! and I was stupid and did not back up the chip before (lesson learned now)) and I wanted to ask if somebody knows how i could craft a binary that i could flash directly to the chip, or if somebody has a working dump of their Archer C50 v4. Any help is greatly appreciated :slight_smile:

I could be misunderstanding you, but it sounds like you’ve overwritten the uboot partition.

If that is your problem, I think you are in luck. The method for installing according to the wiki is to merge the ubootloader (or at least the header) with an openwrt image. The uboot part being readily downloadable from the vendors site apparently C50 wiki page. In your case rather than cutting and merging it sounds that you should be able to extract the uboot portion and then flash that via your spi writer to the chip. Once boot loader is restored you could then try and reflash openwrt , or even go to oem firmware and try another method to flash openwrt.

If that doesn’t work, maybe @mattburnz or @bill888 , or few others may have a way to export the bootloader from their device.

1 Like

It looks like the stock firmware binary includes a u-boot binary (starting at offset 0x200, after a TP-Link header) that can be flashed into the chip (remove first 512 bytes, copy the next 128 kbytes to the flash starting at address 0.)

You have to be careful not to clobber the "radio" partition at the end of the chip (if not already gone). It contains your wifi calibrations and likely the factory MAC addresses.

3 Likes

Hey, first thanks for your reply!
I looked into the gitlab commit that added support for this router and found the partition table. So apparently there is a factory bootloader at 0x00 and then at 0x30000 there is the second uboot bootloader that you can extract from the factory image. Luckily TP-Link has their GPL code online, so i was able to get the source code and build the first factory bootloader and the second u boot bootloader. Then i put them together with zeros in between them so the second bootloader starts at address 0x30000. I was even able to just put the openwrt image at the proper address (0x50000) and got it to start. Sadly it hangs at startup and im sure it is because i also deleted the radio partition at the end of the flash (As you said in your post, looks like this because i get a warning message that says something about radio). Sadly i wasnt able to find this partition in the TP-Link source code so i guess im stuck here and this thing is toast.
Thanks a lot for your reply though :slight_smile:

Do you still looking this art partition? Cause i have it.

Unfortunately, the ART partition contains instance-specific information in most cases. Replacing it with one from another unit may allow the device to seem to run, but will have the wrong information for the specific board in hand. At best, you'd have degraded wireless performance. Out-of-spec operation is a significant possibility if using ART data that isn't associated with the board. Such out-of-spec operation is not only illegal in most jurisdictions, but "splatter" or the like could impact the wireless connection to router itself, as well as any around you, yours or your neighbors'.

2 Likes