Half-Bricked Archer C7?

bad.flash.0.1 · December 6, 2018, 3:44pm

Router Model: TP-Link Archer C7 AC1750 V3.0 (2.0 firmware interchangeable)
S/N: 215A487002242
Chipset: QCA9558
OS: Ubuntu 18.04 LTS

Background:
Original goal: Get OpenWRT with automatic reboots, ad blocking hosts file, and hardware NAT acceleration, without causing high CPU usage on laptop.

Originally loaded DD-WRT on router but WLAN disappeared when security key set. Decided to switch to OpenWRT by reverting to stock firmware, using 'ArcherC7v2_webrevert.rar' :

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=85237&postdays=0&postorder=asc&start=30

Then I upgraded to this LEDE optimized custom build for Archer:

It worked, but my CPU temp spiked to 60C every time I visited a heavy page like YouTube
...?

I wanted to revert to stock firmware, then flash stable 18.06 release from main page.

Unknowingly I used the same Webrevert file from above (may have been configured for DD-WRT) over SSH to flash.

After 10 minutes, it didn't reboot, so I unplugged my router and replugged it--then navigated to 192.168.0.1--and nothing. Same for 192.168.1.1

Boot pattern:
Back USB LED Lights on constantly.

All front lights go on.
Only power, 5GHz, and 8-pointed star(DMZ?) on,
All except 2.4GHz and rightmost refresh(?) light up
Finally just power, 5Ghz, and 8pt star on.

All happens in less than a second each, in 4 seconds.

Therefore, I cannot access failsafe mode.(blinking star never occurs) Pressing the WPS/reset button does not affect anything. Nor 30-30-30 reset. Unable to ping 192.168.0.66, 192.168.1.66 or 192.168.1.1 or 192.168.0.1

I set my IP address to 192.168.0.66 and attempted to TFTP (via ethernet LAN):

Stripped Version (did not rename) -
http://www.friedzombie.com/tplink-stripped-firmware/download.php?d=Archer-C7-V2
Original firmware (renaming it ArcherC7_v2_tp_recovery.bin):

Both said successfully uploaded on TFTP, but I'm convinced that I am just using TFTP to transfer it back to myself. The router doesn't reboot after 10 minutes or more, I can ping if my wired connection is set to 192.168.0.66, but not otherwise, and accessing to 192.168.0.66 brings up "Not Found" in browser.

After recently purchasing this router, I am REALLY hesitant to use a serial cable and don't have any soldering equipment. I do have another PC to test TFTP again on.

If you recognize this problem, or boot pattern, please share, it is highly appreciated. Thanks...

mk24 · December 6, 2018, 5:07pm

It sounds like the image in flash is unbootable.

TFTP recovery should be to power up while holding the reset button and keep holding until the LEDs do something. The router will be a TFTP server at 192.168.1.1. It will not respond to pings or serve DHCP addresses. It is only a TFTP server. Static IP your PC then TFTP put a stock firmware to it. Use binary mode and do not strip the firmware.

You do not need to solder serial pins in. Get a 1 row pin header with plastic holding the pins together. Plug your adapter wires into one side of the pins. Put the other end of the pins into the holes in the board and tilt it to the side so they make contact. Hold this position while you do your serial access. You can then remove with no trace, warranty intact.

jeff · December 6, 2018, 5:39pm

I have used the TFTP recovery approach on several Archer C7 v2 units with great success. https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500#tftp_recovery_de-bricking

It may take a couple tries, and tcpdump will confirm that you've got the right server address. See https://openwrt.org/toh/tp-link/tl-wdr4300#de-brick_or_oem_installation_using_the_tftp_recovery for what you'd look for with tcpdump. Holding down the button long enough was critical. As I recall, it has to be held down until the transfer starts (which can be seen with wireshark or tcpdump).

On macOS, I presently have in /private/tftpboot/

lrwxr-xr-x  1 root  wheel        61 Feb 21  2018 ArcherC7v2_tp_recovery.bin -> lede-17.01.4-ar71xx-generic-archer-c7-v2-squashfs-factory.bin

(that version selected likely based on when I last had to resort to TFTP recovery)

bad.flash.0.1 · December 7, 2018, 6:35pm

Update:
I have used the Tftpd32 program to flash the stock firmware(unstripped, and renamed) to the router at 192.168.0.1 .
Here are the contents of the log viewer:

Connection received from 192.168.0.86 on port 3131 [7/12 10:53:47.122]
Read request for file <ArcherC7v3_tp_recovery.bin>. Mode octet [07/12 10:53:47.123]
OACK: <timeout=3,> [07/12 10:53:47.125]
<ArcherC7v3_tp_recovery.bin>: sent 32002 blks, 16384512 bytes in 17 s. 0 blk resent [07/12 10:54:04.475]

I set my computer's IPv4 address to 192.168.0.66, port 24, and also held down the reset button until the WPS light turned on.
After the flash was complete, still nothing changed. It did not automatically reboot, and it went through the same boot pattern mentioned earlier. I should clarify that it only happens once per boot, and remains in the fourth state until I manually reboot it again.

I am unfamiliar with using tcpdump, but did my best to scan with Wireshark. On the wiki, it stated it would request for a filename, but no names have appeared. Host Unreachable is the response I got after this flash.

I'm starting to wish I had made a recovery partition....I might be willing to donate it to someone who is clever enough to fix the router.

mk24 · December 7, 2018, 6:38pm

You're going to need serial to see what is going on. Since the TFTP transfer worked, Ethernet seems to have worked from the bootloader, tcpdump / wireshark isn't really necessary.

If you have successfully booted a stock firmware, wifi APs will come on.

bad.flash.0.1 · December 7, 2018, 7:25pm

I suppose I have to read up on the wiki about serial. I will attempt this some more once I find the time. For now, I will link a post on the same topic from DD-WRT to refer to later, which may help others or myself later.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=277637&postdays=0&postorder=asc&start=45

Thanks to you and the documentation of OpenWRT community.

jeff · December 7, 2018, 7:30pm

Take note of the info on needing a resistor pull-up to get the serial working on the Archer C7. It's described on the device's ToH page.

warwick · January 17, 2021, 5:58pm

Related to this, I did something stupid.

I had a C7 running a version of Open-WRT from last year sometime. I wanted to revert TP-Link Factory.

I had a crying baby on my hip and I force upgraded the webrevert rar file instead of first uncompressing it to a *.bin file.

From what I read in the documentation, I need to do something via serial to fix this but exactly what is not clear to me.

slh · January 17, 2021, 9:28pm

https://openwrt.org/toh/tp-link/archer-c7-1750#installation_or_restore_with_tftp if that doesn't work, chances of recovery are slim (non-zero, but bad, especially in regards to keeping the wireless (-calibration data) alive), but that page also offers further recovery information.

warwick · January 18, 2021, 6:44am

There is another document here https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500#tftp_recovery_de-bricking which mentions:

Note: the TFTP flashing process requires that the product hardware id and version in the new image header match those in the existing image in flash, otherwise the new image is rejected, flashing is cancelled and the bootloader proceeds to boot the old image.

How would I work out what the TPLINK_HWREV and TPLINK_HWID would have been set to by forcing the RAR file to be written? Is that even the right thing to ask?

slh · January 18, 2021, 6:53am

You won't, unless you have a serial console attached to monitor (and/ or interject) the tftp recovery process. Without eyes (serial console), all you can do is try - but messing up the hw ID isn't the most likely occurance (they are part of the uboot environment, before the flash ranges rewritten by a bootloader-less (e.g. rar) image), the wireless calibration is in much bigger danger.

The question still is, how much you want to invest into equipment necessary to maybe recover your router, as that quickly exceeds the re-sale value of working specimens on the used markets. Therefore I strongly suggest to try the procedures which don't require you to purchase additional hardware first - and worry about further steps later (likewise you should always push the more invasive recovery methods to later, e.g. starting by failsafe/ firstboot factory resetting, sysupgrade, push-button tftp recovery, serial console access/ tftpboot/ sysupgrade, spi-nor flasher, JTAG, … the further you escalate, the bigger the risks, the more equipment and experience needed). If you start from zero, usb2serial adapter, pins/ cables and soldering equipment (soldering iron, tin, thin soldering tips, flux, vacuum pump, solder wick - you may be able to avoid the soldering altogether for the serial console, but not for spi-nor flasher or JTAG uses) easily set you back by at least 30 USD/ EUR - spi-flasher/ soic8 clamps by another 15 USD/ EUR, JTAG more in the 50+ USD/ EUR range, while at the same time used (working) c7s start around 30 USD/ EUR - and those prices already assume buying and slow shipping from China, locally sourced (and delivered in reasonable time) prices will be higher.

--
if you own one, a RPi can be used for many of these tasks - less convenient, looking at this individual instance more expensive, but if you already happen to have one at your disposal…

warwick · January 18, 2021, 7:12pm

I do have all of that stuff and the rpi. But, you make a good point, not only about the materials, but also about my time which is at a premium at the moment.

I have done as you suggested and ordered a replacement.

I will put the archer away for a time of my life when I can afford to spend some time on it - because it is a fun challenge. But not now.

Thanks for the very useful answer.

system · January 28, 2021, 7:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.