Guide on unlocking TP-Link Archer MR200 from your carrier

Hey there.

So you have got a carrier locked Archer MR200, and decided to unlock it to use with other carriers, great decision, after 2 weeks of searching, testing, I have come to the result that even if it seems impossible, the router/4G modem got unlocked.

Precaution
If you have a SOIC8 connector as well as a programmer (CH340a or just a Raspberry Pi), I suggest you to dump all the contents of the chip as a backup since you will need to install custom firmware to gain access to the secret Modem Web Console. Dumping will make sure you will be able to go straight back to stock without any issues.

Remember to check if your carrier provides the firmware online to download or not, as it is important to keep it since the bootloader is carrier specific, if your carrier doesn't provide it however, you either need to make a dump of the chip of the router or use another carrier's flash (Orange works).

Read the Archer MR200 Debricking as well as the TFTP install guide at https://openwrt.org/toh/tp-link/archer_mr200 to know how to connect to the chip and how to make a dump.

Required Files
OpenWRT build for Archer MR200 - https://drive.google.com/open?id=0B9LBOwJy0I9lUHVmRHllV25UX2s

MR200 Unlocked Modem Firmware - https://xwtk.cloud/delivery/MR200_Modem.zip

Process
Once you have dumped your firmware, start off by flashing the OpenWRT firmware by using the guide linked above. Connect via WiFi (that is important), and goto 192.168.225.1/login.html, that is the Modem Web Console. Your Archer MR200 is basically a router with a 4G MiFi modem connected to it on the board, and OpenWRT allows you to access that modem.

Note that the web console doesn't function fully since it's made to communicate with the stock firmware in mind, so don't setup anything, just goto Settings > Device > Firmware Upgrade

Now click Upgrade from Local Server, and click Choose File, use MR200_Modem.zip and update, wait for the upload to goto 100%, then wait for about 3 minutes, after which, power cycle the router, and wait for it to boot.

You have successfully unlocked your modem. Now you need to flash your stock firmware and you will be good to go. Don't use MR200_Back_to_stock.bin provided in forums, it will brick your router since it has the stock bootloader and firmware.

Either flash your dump directly to the chip via a programmer, or use your carrier firmware, remember to cut the header by using dd (prebuilt in Linux, Windows port available) by typing the command below.

dd if=firmware.bin of=firmware_noheader.bin bs=512 skip=1

Then use the OpenWRT UI to flash the firmware and you are good to go.

(Note, if there are mistakes, please correct me in the replies, thank you)

why go back to OEM (or ISP) fw after unlocking the modem ?
just curious of your reasons...
I'm so happy with openwrt on my mr200 - with extra options like adblock, vpn, sqm - not even closely available on ofw

1 Like

Modem doesn't work properly with OpenWRT, for me at least.

1 Like

more details please - maybe I'm missing something as well

Unable to:
Properly connect modem to SIM Internet
Factory reset
Hook up to main router to share WiFi from Modem
Additional Settings specific to MiFi which don't work at all

Open 192.168.225.1 when connected to your MR200 via WiFi and you will see.

I have to admit I haven't unlocked my mr200 but 192.168.225.1 works and I can do all above from openwrt
I'd actually wanted to upload the unlock modem fw but considering the possible issues above (unusable with openwrt) I'd say I'll pass for now as I don't really need to switch WISP.
thanks for sharing this though - maybe you can add this to wiki - Applying for OpenWrt wiki account

So quick update, I did manage to fix everything except the Factory Reset function in the modem web console, it says it resets, but after the restart it shows the same configuration. Those additional settings are specific to the Mobile WiFi devices like the SD Card etc., so yeah.

SIM Internet didn't work because apparently my operator had some issues, tried another one and everything worked.

1 Like

Applied for the wiki account, got approved.

1 Like

Hi,

I flashed openwrt today onto an Archer MR200 v1, and the Modem Web Console is not available.

In fact, hitting http://192.168.225.1/ gives a 404 , which shows something is listening, but not what was expected.

Any ideas?

It's actually http://192.168.225.1/login.html

1 Like

Hey there. As Maurer has mentioned, visit the login.html page to gain access to console.

1 Like

Thanks guys. I got into the menu.

How can I tell if the modem is unlocked? Because I tried with another SIM card which did not work. Could also be a prob with the new SIM or APN details. The new SIM works in my phone, and doesn't have a PIN set.

Have you flashed the modem using the unlocked fw?

1 Like

Not yet. Will it break anything?

The sim lock, one would hope.

1 Like

what happens if the sim lock was never enabled? Perhaps mine won't work for another reason. Then could running the firmware patch break it?

Nothing will be broken. It's just a modem update. Do it without any worries. There is no indication telling you if the modem is locked or not in the console, only the fact that you get Disconnected message every time you attempt to connect to the data network.

1 Like

Hi,

I tried flashing the modem and got this message:

"Update failed. The update file is not suitable for the current firmware."

The image I used was from

I tried downloaded the .zip and tried again, and got the same message.

Have you got a SHA256 checksum for the file?

Here is photo of the About Device page.

Hey, it seems like the version of your modem firmware is newer. You haven't unzipped the firmware right?

Seems like you need to SSH into the modem by accessing OpenWRT SSH and doing adb shell so we can get some information about the firmware.

After doing adb shell, goto /system/etc/default_config and type cat product, then copy/paste all of its content here.

1 Like

Hi,

You haven't unzipped the firmware right?
Nope. I did not.

Here you go!


# cd /system
/bin/sh: cd: can't cd to /system
# cd /etc 
# cd default_c*
/etc/default_config # ls
4g_network                   rf_band_info
4g_radio                     rild
AR6004_hostapd.conf          samba
DIAG.cfg                     sim
SystemUpdate                 sim_auto_unlock_pin
dhcp_var                     sim_msisdn
flowstat                     sms
flowstat_current_boot_up     storageshare
flowstat_current_connection  system_state
isp_profile                  usb
mobile_data_switch           user_profile
mobileap_cfg.xml             vsftpd
mobileap_cfg.xsd             webserver
mobileap_firewall.xml        webserver_var
network_status               wlan
product
# cat product
################################################################################
# Product information
################################################################################
config product info
        option board_type    "mdm9225"
        option product_type  "mr200-un-v1"
        option product_id    "02000001"
        option product_name  "MR200(UN) 1.0"
        option hardware_ver  "1.0"
        option firmware_ver  "1.0.0"
        option firmware_ver_build  "Build 160805 Rel.1007n"
        option product_region   "UN"
        option product_series "MR200"
        option vendor_name   "TP-LINK Technologies Co., Ltd."
        option ssid_prefix   "TP-LINK_LTE_MODULE_"

################################################################################
# Feature configuration
#-------------------------------------------------------------------------------
# You can add any feature flags here.
################################################################################
# DEMO
config feature packageA
        option feature1       "1"
        option feature2       "2"

# DEMO
config feature packageB
        option feature1       "AAA"
        option feature2       "BBB"


#-------------------------------------------------------------------------------
# kernel & driver
#-------------------------------------------------------------------------------
config driver usb
        option vid "0x2357"
        option pid "0x000D"

config driver wlan
        option mac_address "00:11:22:33:44:55"

config driver lte
    option imei "000000000000000"
    option simNumber "0"
    option imsi "0"

#-------------------------------------------------------------------------------
# apps
#-------------------------------------------------------------------------------
config feature login
        option hostname     "tplinkmifi.net"

config feature storageshare
        option own_username "0"
        option own_password "0"

config feature charge
        option power_bank_detect_support "0" # 0: not support, 1: support
        option battery_capacity "0" # refer to battery_capacity_t, charge\charge.h
        option shutdown_no_battery_support "0" # 0: not support, 1: support

config feature ntpclient
    option timezone '0'
    option hw_time  '0'
    option sys_time  '0'
    option index    '25'

config feature wlanwarn
    option launch "0"

config feature rndisinfo
    option get_rndis_info  "0"

config feature update
    option domain  "http://upgrade.tp-link.com/SystemUpdate/lte/"
#-------------------------------------------------------------------------------
# others
#-------------------------------------------------------------------------------