Flash TL-MR6400 V5.30 OEM firmware with TFTP

I have a TL-MR6400 V5.30 router.

I tried OpenWRT for the VPN client feature, but it's not that reliable, and my use case has changed, so I wanted to flash the original firmware.

I downloaded the TL-MR6400(EU)_5.0_1.7.0 Build 240716.zip firmware from the official website (and I selected the proper hardware version V5.30)

then I extracted the bin file TL-MR6400(EU)v5_1.7.0_0.9.1_[240716-rel67874]_up_boot_All_Release_2024-07-17_17.59.34.bin and I tried to flash it using tftp on windows

it loads the file until it's 96% and then it returns the following error TIMEOUT waiting for Ack block #128926

The first weird thing I noticed is that the bin file is ~67MB! (the RAM of this router is 64MB so it makes sense for the firmware to fail)

I googled the issue, and I noticed people here and on Reddit and here suggesting stripping the firmware before flashing it using the following command: dd if=original.bin of=tp_recovery skip=257 bs=512 and dd if=original.bin of=tp_recovery skip=257 bs=512. I also tried to add the count=16000 parameter yet that didn't seem to help.

I also tried to binwalk the OEM firmware and OpenWRT, extracting the same partitions in OpenWRT from OEM, which produced an ~8MB firmware, but the router kept flashing all lights after that.

I need to know what I should do to flash the OEM firmware again.
I know I'm on the right path with binwalk and dd but I can't figure the proper parameters (should I include U-boot with it or no?) what count should I use?
I'm interested in solving my issue + understanding how the solution works.

here's the binwalk output for the OEM firmware

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
83296         0x14560         U-Boot version string, "U-Boot 1.1.3 (Jul 16 2024 - 18:35:17)"
132096        0x20400         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3754524 bytes
1376768       0x150200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5826136 bytes, 666 inodes, blocksize: 131072 bytes, created: 2024-07-16 10:51:28
8192512       0x7D0200        Zip archive data, at least v1.0 to extract, name: bin/
8192574       0x7D023E        Zip archive data, at least v2.0 to extract, compressed size: 23041, uncompressed size: 57672, name: bin/npd6
8215681       0x7D5C81        Zip archive data, at least v2.0 to extract, compressed size: 285131, uncompressed size: 726816, name: bin/openvpn
8500881       0x81B691        Zip archive data, at least v2.0 to extract, compressed size: 30759, uncompressed size: 83756, name: bin/zebra
8531707       0x822EFB        Zip archive data, at least v2.0 to extract, compressed size: 35224, uncompressed size: 93964, name: bin/ripd
8566997       0x82B8D5        Zip archive data, at least v2.0 to extract, compressed size: 67685, uncompressed size: 168476, name: bin/tc
8634746       0x83C17A        Zip archive data, at least v1.0 to extract, name: etc/
8634808       0x83C1B8        Zip archive data, at least v2.0 to extract, compressed size: 288, uncompressed size: 638, name: etc/ipsec.conf
8635168       0x83C320        Zip archive data, at least v1.0 to extract, name: etc/strongswan.d/
8635243       0x83C36B        Zip archive data, at least v2.0 to extract, compressed size: 122, uncompressed size: 173, name: etc/strongswan.d/starter.conf
8635452       0x83C43C        Zip archive data, at least v1.0 to extract, name: etc/strongswan.d/charon/
8635534       0x83C48E        Zip archive data, at least v2.0 to extract, compressed size: 157, uncompressed size: 231, name: etc/strongswan.d/charon/wolfssl.conf
8635785       0x83C589        Zip archive data, at least v2.0 to extract, compressed size: 511, uncompressed size: 986, name: etc/strongswan.d/charon/stroke.conf
8636389       0x83C7E5        Zip archive data, at least v2.0 to extract, compressed size: 229, uncompressed size: 491, name: etc/strongswan.d/charon/socket-default.conf
8636719       0x83C92F        Zip archive data, at least v2.0 to extract, compressed size: 96, uncompressed size: 130, name: etc/strongswan.d/charon/des.conf
8636905       0x83C9E9        Zip archive data, at least v2.0 to extract, compressed size: 97, uncompressed size: 132, name: etc/strongswan.d/charon/nonce.conf
8637094       0x83CAA6        Zip archive data, at least v2.0 to extract, compressed size: 899, uncompressed size: 2449, name: etc/strongswan.d/charon/kernel-netlink.conf
8638094       0x83CE8E        Zip archive data, at least v2.0 to extract, compressed size: 4332, uncompressed size: 12086, name: etc/strongswan.d/charon.conf
8642512       0x83DFD0        Zip archive data, at least v2.0 to extract, compressed size: 738, uncompressed size: 2359, name: etc/strongswan.d/charon-logging.conf
8643344       0x83E310        Zip archive data, at least v2.0 to extract, compressed size: 60, uncompressed size: 81, name: etc/ipsec.secrets
8643479       0x83E397        Zip archive data, at least v2.0 to extract, compressed size: 217, uncompressed size: 378, name: etc/strongswan.conf
8643773       0x83E4BD        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/
8643843       0x83E503        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/ocspcerts/
8643923       0x83E553        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/reqs/
8643998       0x83E59E        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/cacerts/
8644076       0x83E5EC        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/aacerts/
8644154       0x83E63A        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/certs/
8644230       0x83E686        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/crls/
8644305       0x83E6D1        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/private/
8644383       0x83E71F        Zip archive data, at least v1.0 to extract, name: etc/ipsec.d/acerts/
8644460       0x83E76C        Zip archive data, at least v1.0 to extract, name: lib/
8644522       0x83E7AA        Zip archive data, at least v1.0 to extract, name: lib/plugins/
8644592       0x83E7F0        Zip archive data, at least v2.0 to extract, compressed size: 5712, uncompressed size: 12784, name: lib/plugins/libstrongswan-socket-default.so
8650405       0x83FEA5        Zip archive data, at least v2.0 to extract, compressed size: 38651, uncompressed size: 88320, name: lib/plugins/libstrongswan-kernel-netlink.so
8689157       0x849605        Zip archive data, at least v2.0 to extract, compressed size: 1998, uncompressed size: 4712, name: lib/plugins/libstrongswan-nonce.so
8691247       0x849E2F        Zip archive data, at least v2.0 to extract, compressed size: 19435, uncompressed size: 53068, name: lib/plugins/libstrongswan-wolfssl.so
8710776       0x84EA78        Zip archive data, at least v2.0 to extract, compressed size: 10389, uncompressed size: 29956, name: lib/plugins/libstrongswan-des.so
8721255       0x851367        Zip archive data, at least v2.0 to extract, compressed size: 37861, uncompressed size: 102148, name: lib/plugins/libstrongswan-stroke.so
8759209       0x85A7A9        Zip archive data, at least v2.0 to extract, compressed size: 27484, uncompressed size: 237716, name: lib/NetIspInfo.ini
8786769       0x861351        Zip archive data, at least v2.0 to extract, compressed size: 236739, uncompressed size: 687764, name: lib/libcharon.so.0.0.0
9023588       0x89B064        Zip archive data, at least v2.0 to extract, compressed size: 198184, uncompressed size: 446452, name: lib/libwolfssl.so.24.2.0
9221854       0x8CB6DE        Zip archive data, at least v2.0 to extract, compressed size: 413578, uncompressed size: 906692, name: lib/libsqlite3.so.0.8.6
9635513       0x9306B9        Zip archive data, at least v2.0 to extract, compressed size: 112570, uncompressed size: 370432, name: lib/appid.ko
9748153       0x94BEB9        Zip archive data, at least v2.0 to extract, compressed size: 170518, uncompressed size: 462832, name: lib/libstrongswan.so.0.0.0
9918755       0x975923        Zip archive data, at least v1.0 to extract, name: libexec/
9918821       0x975965        Zip archive data, at least v1.0 to extract, name: libexec/ipsec/
9918893       0x9759AD        Zip archive data, at least v2.0 to extract, compressed size: 31138, uncompressed size: 78052, name: libexec/ipsec/starter
9950110       0x97D39E        Zip archive data, at least v2.0 to extract, compressed size: 6475, uncompressed size: 16136, name: libexec/ipsec/stroke
9956663       0x97ED37        Zip archive data, at least v2.0 to extract, compressed size: 5531, uncompressed size: 12680, name: libexec/ipsec/charon
9962272       0x980320        Zip archive data, at least v1.0 to extract, name: sbin/
9962335       0x98035F        Zip archive data, at least v2.0 to extract, compressed size: 2602, uncompressed size: 7694, name: sbin/ipsec
9969659       0x981FFB        End of Zip archive, footer length: 22
9969681       0x982011        Zip archive data, at least v1.0 to extract, compressed size: 449004, uncompressed size: 449004, name: appsboot.mbn
10418755      0x9EFA43        Zip archive data, at least v1.0 to extract, compressed size: 5640192, uncompressed size: 5640192, name: mdm9607-boot.img
16059021      0xF50A8D        Zip archive data, at least v1.0 to extract, compressed size: 28442624, uncompressed size: 28442624, name: mdm9607-sysfs.ubi
44501720      0x2A70AD8       Zip archive data, at least v1.0 to extract, compressed size: 24248320, uncompressed size: 24248320, name: NON-HLOS.ubi
68750447      0x4190C6F       End of Zip archive, footer length: 22

and here's the one from OpenWRT

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3754524 bytes
1244672       0x12FE00        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5826136 bytes, 666 inodes, blocksize: 131072 bytes, created: 2024-07-16 10:51:28

thanks in advance for any help.

Ask vendor for support with their bits.

Do not 'just try' stripping, unless you're 101% sure that the advice is valid for your device and comes from a reputable source. If done incorrectly, it can brick your device for good - and TP-Link has changed their approach multiple times in recent years (so I'll refrain from giving advice, as I don't know this device and am only familiar with their old generations).

Just in general, the dd command you quoted only strips off 128 KB of the file, which still wouldn't fit into RAM that way - so there must be something (very) fishy about this advice (AI hallucination?).

They said they can't help

Tried reproducing what I did in 2021 with the V5.30 image TL-MR6400(EU)_5.0_1.7.0 Build 240716.zip

Using the command below I got a file that is very similar to the one I had from back then. I.e. similar header and same offset for LZMA compressed data.

dd if=TL-MR6400\(EU\)v5_1.7.0_0.9.1_\[240716-rel67874\]_up_boot_All_Release_2024-07-17_17.59.34.bin bs=512 skip=1 count=16000 of=tp_recovery.bin

Since I don't have a V5.30 I can't test. Hopefully generating this file will work for you.

Thanks for your help!

this time the router isn't flashing all the lights, but it didn't erase any of its configurations (wifi ssid is still the same for example) and Luci UI now returns 500 Internal Server Error and 192.168.0.1 (this is the IP for the original framework) doesn't work.

I think we're getting closer, do you have any other suggestions in mind?

UPDATE: I've just noticed that I can ssh root@192.168.1.1 but it asks for a password but I haven't set onebefore so I couldn't ssh into it

Have you tried holding down the WPS/Reset button for several seconds? This should clear all configuration.

Not sure if ssh always asks for a password, even when none is set. Have you tried no password, i.e. pressing the enter key on the password prompt?

After clearing all configurations, I get a broken login page (HTML only) due to failing to load several js files when inspecting the files in the sources panel I notice that the same HTML document is returned for any URL I pass including the js ones

I tried logging in with no password and it rejected me, after resetting the router ssh returns PTY allocation request failed on channel 0 ssh request failed on channel 0

One thing I've just learned while analyzing the bin files (maybe it's obvious for experts) is that OpenWRT bin files are filled with zeros from beginning until the first file. but that's not the case for the OEM firmware

(I don't know if this helps)

Try this please?

dd if=original.bin of=tp_recover.bin skip=1 bs=512 count=16000 is exactly what I've just done, as @robje gave me the same command but instead or original.bin he wrote the actual file name.

is there anything that you want to draw my attention to?

I'd like to draw everyone's attention to the fact that the OEM firmware contains a U-Boot section at the beginning of the bin file. Should this be included when flashing?

and it contains two zip files in the end (one is ~17MB and the other is ~58MB). I still can't understand how did all this fit into the router originally?

For the login page, did you try force reload ([ctrl]+[f5]) and/or clear browser cache?

Not sure if it is, but there might be a telnet daemon active on the router. did you try telnet as well?

this first section is a header with information about contents of the rest of the file. Not sure why this header is all zeros for OpenWRT. Wild guess: TFTP does not use this header and the web based upgrade process does.