Help please! 110$ re450 bricked!

Hey guys,

A little bit of a panic here because I cannot find any forum threads for RE450 unbricking.

Long story short, was on the LEDE firmware with everything working fine. I wanted to revert to original firmware so that I could get a replacement for the repeater because it was emanating some strange noises.

I followed the guide for flashing original firmware from here: https://wiki.openwrt.org/doc/howto/generic.uninstall

Now, my repeater blinks all lights when turned on intermittently and I cannot SSH into it.

Please help! Thanks a lot!! :slight_smile:

Did you read this? https://wiki.openwrt.org/toh/tp-link/tp-link_re450

Most TP-Link devices have a reset button, so this article on doing a TFTP recovery may work for you...

http://forum.tp-link.com/showthread.php?81462-How-to-recovery-the-router-when-you-bricked-it

Depending on what you actually did, chances are that you (at least) overwrote the ART partition (device specific calibration data required for the wlan cards), in the worst case also the bootloader. Both would basically render your repeater into a paperweight.

Hi,

The reset button is not doing anything, all leds still flashing intermittently.

I followed exactly the instructions on to reflash the original firmware given here: https://wiki.openwrt.org/doc/howto/generic.uninstall

This is what I did after sshing into the router:

cd /tmp
wget http://www.example.org/original_firmware.bin
mtd -r write /tmp/original_firmware.bin firmware

Is there any hope of recovery or is it paperweighted?

Thanks!

EDIT:
Just thought I will provide a little more info: Even when I connect wire ethernet to the router, the connection keeps going on and off. Probably a bad sign. Not sure.

All help appreciated. Worst case scenario I'll try and return to Amazon.

It is rebooting over and over because the firmware image is not bootable. I think you need to remove some headers before mtd'ing a stock firmware.

So it will need either TFTP or serial recovery as described in the TP Link forum.

Can it still be recovered via TFTP? Thought it was too late for that.

Try sniffing packets (wireshark) while kicking it into tftp mode to see if the expected packets are on wire.

Thanks. How can I turn my router into TFTP mode?

When it boots with the reset button held down, it should attempt to connect to a TFTP server.

Thank you mk24 and everyone else. I did a Wireshark capture on the router. This was the result. I don't see any TFTP packets being transmitted so I think it is bricked but just thought I should confirm before next steps.


tumblr image hosting

Also did one where I set the static IP to 192.168.1.2, subnet to 255.255.255.0 and router to 192.168.1.1

blogger image hosting

Consensus: Bricked or not?

Not sure why you are using those IPs as the one link I looked at above indicates different values, and the one tplink device I own goes to something more in line with what I see in that link. But with that said, I do not see any traffic that would indicate it is trying to hit a tftp server.

Is the device supposed to indicate in any way with LEDs that it is attempting tftp?
How to you set the IP on a router that you are incapable on accessing?

The LEDs keep flashing (all of them) and router keeps powering on and off. I know this because I lose my ethernet connection to it in a rhythmic pattern.

I am on Mac OSX High Sierra. I am setting the IPs on the Ethernet interface that it connects to when turned on.

I also ran a TFTP server on 192.168.0.62 with the Ethernet interface's IP set to 192.168.0.60 the network traffic did not indicate it was trying to retrieve a .bin file.

Any other suggestions? Again. thanks for the help! :slight_smile:

Hi,

RE450 doesn have recovery TFTP mode.

You have only one "simple" method to fix this repeater.
Use serial TTL adapter and connect it to serial header on board re450. Look on first photo: RE450 board photo
JP1 - Tx
JP2 - Rx
JP3 - Gnd
JP4 - 3v3 - leave not connected

Download prepared "back-to-stock" firmware from here

  • Renamed file to "re450bs.bin" for convenience but it is not required
  • Set my PC's IP to fixed (In my case 192.168.1.3)
  • Bring up a tftp server, in my case tftp64 but anyone will do.
  • Add file to the root that is visible through tftp
  • Connect by serial and do the following:

' U-Boot 1.1.4 (Jul 27 2016 - 17:23:50)

ap135 - Scorpion 1.0

DRAM:  128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 133k for U-Boot at: 87fdc000
Reserving 192k for malloc() at: 87fac000
Reserving 44 Bytes for Board Info at: 87fabfd4
Reserving 36 Bytes for Global Data at: 87fabfb0
Reserving 128k for boot params() at: 87f8bfb0
Stack Pointer at: 87f8bf98
Now running in RAM - U-Boot at: 87fdc000
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x17
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
No valid address in Flash. Using fixed address
Scorpion  ----> AR8033 PHY *
AR8033 PHY init
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
Setting 0x18116290 to 0x58b0214f
Autobooting in 1 seconds
scorpion> setenv ipaddr 192.168.1.1
scorpion> setenv serverip 192.168.1.3
scorpion> ping ${serverip}
Trying eth0
Checking Link: Up
Checking Duplex: Full
Checking Speed 100BaseT
dup 1 speed 100
Using eth0 device
host 192.168.1.3 is alive
scorpion> tftp 0x80060000 re450bs.bin&&erase 0x9f020000 +$filesize&&cp.b $fileaddr 0x9f020000 $filesize
Trying eth0
Checking Link: Up
Checking Duplex: Full
Checking Speed 100BaseT
Using eth0 device
TFTP from server 192.168.1.3; our IP address is 192.168.1.1
Filename 're450bs.bin'.
Load address: 0x80060000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ##################################
done
Bytes transferred = 6160384 (5e0000 hex)
Erase Flash from 0x9f020000 to 0x9f5fffff in Bank # 1
First 0x2 last 0x5f sector size 0x10000                                                                                             95
Erased 94 sectors
Copy to Flash... write addr: 9f020000
done
scorpion> boot
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK
...
1 Like

Hey Heinz,

Thanks a lot for the reply.

I actually ended up returning to Amazon and getting a new one.

However, when I flashed this one, it completed the flash but I am unable to get to 192.168.1.1

Did everything the same as the last router but the last one was successful. Don't know what went wrong with this one. And I really don't want to return this one again cuz then Amazon will flag my account. Also, don't wanna take advantage of them.

Any help is appreciated. This is really turning into a nightmare for me lol.

EDIT:
Had to manually reboot it to get the LuCi interface. Not sure why. Just saved myself from a heart attack lol.

UPDATE:
Successfully managed to flash the firmware with sysupgrade.

I wanted to thank everyone for the help.

I really want to improve the wiki for this router so that it shows the correct way to flash the original firmware and also the process that @Heinz described above.

I assume the correct flashing procedure for original firmware is to remove the first 256 bytes and then flash it. Please let me know so I can go ahead and update the wiki.

Thank You!

EDIT:
Can someone please help me with this? Changed LAN IP. Now unable to connect to router

Thank you!

This is one of method to back to stock firmware, Second method is use my "back_to_stock" firmware like sysupgrade file. You can use LuCI ( system - firmware upgrade) or ssh command line ( sysupgrade -f back_to_stock.bin )

I prepare this back-to-stock firmware by dump and merge kernel and rootfs from flash chip.

No. This repeater have TP-Link safeloader header its not easy to extract kernel and rootfs from this and fit it to "firmware" partition.

Hi Heinz, i know this is already an older thread but i just bricked my RE450 v1 while trying to go back to stock (same method like the guy from the initial post :frowning: @anybody else, DO NOT TRY THE GENERIC BACK TO STOCK GUIDE FROM OPENWRT ON RE450, IT WILL BRICK YOUR ROUTER!)

Since the device is not reachable by ssh/tftp anymore and runs into a bootloop i wanted to try to connect serially to the device, but there is a little problem. Although i soldered a couple of cables and SUB-D connectors in the past i cannot figure out how to connect a USB TTL Adapter to the pcb of the RE450.
On the pictures in this thread we can see that the serial connectors seem to be some kind of orange colored pad, but i can neither see a PIN or a hole where i could solder a PIN header. Is this orange thing a solder pad or how do you connect to the serial port?

I would be happy if you could help me out here.

Thanks a lot!

Hi @Dudemeister,

This orange thing is normal solder pad. Use thin copper wire and solder it to pad.

Thanks a lot for your quick reply Heinz. I knew solder pads from old times, but the ones i knew where silver.
As soon as my USB-TTL Adapter arrives next week I'll try it out.

Thanks again!

Hello Heinz, your guide worked perfectly well and my re450 is back online again with stock firmware. I was really surprised to find out that your re450bs.bin restored my device exactly to the point before i first tested lede/openwrt, even including my passwords, complete network configuration simply everything.

Thanks a lot for your help!

A tip for others that want to try that: make sure your ethernet connection has no capture driver activated, took me about an hour to find out that this was interfering with the network connection to the re450 in u-boot mode.