Help debricking my TP-Link Archer C60 v1

floss1nn · December 8, 2021, 10:33pm

Hi,

I have a TP-Link Archer C60 v1 that I've hard-bricked by accidently installing the wrong firmware to it. The firmware that was installed was the one from the Archer C60 v2 and it was installed using the TFTP method. Obviously, I'm aware that the device has checks and verifications in place to prevent this from happening, but I bypassed those protections by manually editing the firmware file before uploading it through TFTP. I wrongly assumed that v1, v2 and v3 of this device have the same partition layout and that, if things go awry, it shouldn't hard-brick the device, only soft-brick it. It turns out that although the v2 and the v3 do in fact have the same partition layout, the v1 doesn't. A really dumb mistake on my part, I know...

Since the device was now stuck in an infinite bootloop and wasn't even loading the bootloader, I desoldered the flash chip from the board in order to dump its content and analyze it. From my analysis of the flash dump of my bricked device and by cross-referencing its content with the partition layouts of the v1 and the v2 [1][2][3][4], I've so far confirmed that:
a) all the partitions have been overwritten by the data from the v2 firmware;
b) that the data was written at the addresses from v2's partition layout;
c) and that the ART partition was left intact, since for v1,v2 and v3 it resides at the same address (0x7f0000). I know, lucky me...

Now that I've established the extent of the damage, I think I am ready to attempt to debrick this device. I'm trying to figure out the best approach to take and I have a few questions.

If I extract 'u-boot' from the stock firmware and flash it to the flash chip at the right address, can I expect the device to boot even if the rest of the partitions are corrupt? If not, skip to question #2.

↳ If yes, from a working u-boot only, will I be able to boot OpenWRT from RAM even if the rest of the partitions are corrupt?

↳ If yes, from OpenWRT booted from RAM, will I be able to mtd write the partitions and expect OpenWRT to write them at correct addresses?
Can I manually build a new image to flash to the chip the following way:
i) extracting the partitions (out of the stock firmware for the generic ones; out of my flash dump for the unique-per-device ones)
ii) stitching them back together at the right address (the addresses from the partition layout)
iii) adding padding of the correct size (until the next partition's address) at the end of them with dd if=/dev/zero

TIA

[1] qca9561_tplink_archer-c60-v1.dts
[2] qca9561_tplink_archer-c60-v2.dts
[3] tplink-safeloader.c
[4] tplink-safeloader.c

anon89577378 · December 8, 2021, 10:44pm

Have you tried using TFTP to unbrick?

Download the stock firmware.

Download TFTP64.

Rename the downloaded firmware file to ArcherC60v1_tp_recovery.bin, and place it in the same folder as TFTPD64.

Open your network settings in Windows, and select the wired adapter (don't try this on a wireless connection).

Right-click and select Properties.

Select Internet Protocol Version 4 (TCP/IPv4) and click on the Properties button.

In the General tab, select the radio button for Use the Following IP Address.

Enter 192.168.0.66 for the IP address.

Should default to 255.255.255.0 for the Subnet Mask.

Turn the router off.

Make sure nothing else is connected to the router, it should be just the router and your computer.

Open TFTPD64. You may be asked to allow it through the firewall. Select Public.

Go to Settings > Global, and uncheck everything except TFTP Server.

Go to Settings > TFTP. Select None for TFTP security. Uncheck Option negotiation, and enter 192.168.0.66 in the Bind to this IP address drop down.

Go back to the main window, and make sure the Current Directory dropdown is showing the path to the TFTPD64 folder, which should also contain your recovery firmware file ArcherC60v1_tp_recovery.bin

The IP address 192.168.0.66 should be displayed in the Server Interface dropdown. If not, select it.

Go to the router and press the power button and the reset button at the same time.

Release the power button...but continue to hold the reset button for about 4 or 5 seconds, then release.

You should see a progress bar going across the TFTPD64 screen (although it should only take a very short time).

View the log. It should show 100% transferred.

Go back to your wired network adapter, and change the radio button back to Obtain an IP Address Automatically.

Try to access the router GUI. The stock firmware IP address is 192.168.0.1 and admin/admin for the User Id and Password.

If you can see that you have Internet access in the Network icon, but can't access the GUI, open a Command prompt and run ipconfig /release and then ipconfig /renew.

Try to access the GUI again.

floss1nn · December 9, 2021, 12:01am

Have you tried using TFTP to unbrick?

I'm way past using TFTP to debrick because the bootloader is no more, hence no TFTP server running on the device at boot to begin with.

Amat · December 26, 2021, 6:26am

I am sorry about your router. I think you are on the right track. Please see steps below:

Extract U-Boot from stock firmware and flash it.
Copy stripped firmware on to the right partition.
reset.

Good luck and happy holidays.