Doesn't really matter, whatever unbricks it works for me, because if I flash the stock firmware, then I'll anyway switch to OpenWRT. If I unbrick it using OpenWRT, then I'll stick with it.
Sorry. I post bad link in my first message. Read message, prepare sysupgrade image from stock firmware and compare with your sysupgrade.
I think that vendor use patched version of uboot header. Standard uboot image format assumes kernel compressed data at offset 0x40 (just after uimage header).
This did not work either. Used the converter to... well, convert stock 1.3.6 to sysupgrade. Same CRC error after flash.
setenv serverip 192.168.0.66; setenv ipaddr 192.168.0.86; tftp 0x80060000 sysup.bin
Trying eth0
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Download Filename 'sysup.bin'.
Download to address: 0x80060000
Loading: ################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
#############################
done
Bytes transferred = 7929856 (790000 hex)
ath> erase 0x9f030000 +0x790000; cp.b 0x80060000 0x9f030000 0x790000; bootm 0x9f030000
Erasing flash...
First 0x3 last 0x7b sector size 0x10000 123
Erased 121 sectors
Copy to Flash... write addr: 9f030000
done
## Booting image at 9f030000 ...
Image Name: MIPS OpenWrt Linux-3.3.8
Created: 2020-07-01 10:19:12 UTC
Image Type: MIPS Linux Multi-File Image (lzma compressed)
Data Size: 1047980 Bytes = 1023.4 kB
Load Address: 80060000
Entry Point: 80060000
Contents:
Image 0: 1047972 Bytes = 1023.4 kB
Verifying Checksum at 0x9f030040 ...Bad Data CRC
Okay, so I managed to skip the CRC check by setting the environment variable verify to n, then I get this error:
## Booting image at 9f030000 ...
Image Name: MIPS OpenWrt Linux-5.4.238
Created: 2023-04-17 13:15:36 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 2070929 Bytes = 2 MB
Load Address: 80060000
Entry Point: 80060000
Uncompressing Kernel Image ... ERROR: LzmaDecode.c, 543
Decoding error = 1
LZMA ERROR 1 - must RESET board to recover
Could this actually be a uboot error?
Is the same error with stock sysupgrade?
CRC or LZMA, because both OpenWRT and stock are having the same errors.
Now, I've seen something that might impact the CRC calculation (unless my math is irrecoverably broken)
ath> erase 0x9f030000 +0x790000; cp.b 0x80060000 0x9f030000 0x790000; bootm 0x9f030000
Erasing flash...
First 0x3 last 0x7b sector size 0x10000 123
Erased 121 sectors
Are there 2 sectors not erased? If so, then they probably can't be overwritten as well, right?
Really 3 sectors not earased. Stock flash layout:
partition fs-uboot base 0x00000 size 0x20000
partition default-mac base 0x20000 size 0x00200
partition pin base 0x20200 size 0x00100
partition product-info base 0x20300 size 0x00200
partition device-id base 0x20500 size 0x0fb00
partition os-image base 0x30000 size 0x100000
partition file-system base 0x130000 size 0x690000
partition favicon base 0x7cc000 size 0x02000
partition logo base 0x7ce000 size 0x02000
partition soft-version base 0x7d9400 size 0x00100
partition extra-para base 0x7d9500 size 0x00100
partition support-list base 0x7d9600 size 0x00200
partition profile base 0x7d9800 size 0x03000
partition default-config-f base 0x7dc800 size 0x03000
partition partition-table base 0x7df800 size 0x00800
partition user-config base 0x7e0000 size 0x09000
partition default-config base 0x7e9000 size 0x03000
partition certificate base 0x7ec000 size 0x04000
partition radio base 0x7f0000 size 0x10000
First 0x30000 (3 sector of size 0x10000=64k) contain bootloader and board specific data. If you erase these sectors then you totally brick device.
I've one idea. You can try flash and load stock firmware by hand.
- Prepare sysupgrade image (
stocksys.bin) from stock firmware and flash it. My version look like:
00000000: 27 05 19 56 91 FC 40 42 │ 5E FC 63 20 00 0F FD AC '♣↓VС№@B^№c ☼¤м
00000010: 80 06 00 00 80 06 00 00 │ 63 5D C6 58 05 05 04 03 А♠ А♠ c]╞X♣♣♦♥
00000020: 4D 49 50 53 20 4F 70 65 │ 6E 57 72 74 20 4C 69 6E MIPS OpenWrt Lin
00000030: 75 78 2D 33 2E 33 2E 38 │ 00 00 00 00 00 00 00 00 ux-3.3.8
00000040: 00 0F FD A4 00 00 00 00 │ 6D 00 00 80 00 6C 72 2E ☼¤д m А lr.
00000050: 00 00 00 00 00 00 00 6F │ FD FF FF A3 B7 7F 4C 38 o¤ г╖⌂L8
As you can see kernel compressed data start at offset 0x48 and its size is 0xffda4
2. Extract compressed kernel from stocksys.bin:
dd if=stocksys.bin of=kernel.lzma bs=1 skip=$((0x48)) size=$((0xffda4))
lzma d kernel.lzma kernel
- Load
kernelwith tftpboot at 80060000 and start it:
tftpboot 80060000 kernel
go 80060000
After that stock firmware may start correctly. In this case you can update firmware from stock web-interface and compare headers.
LZMA error occurs because you've loaded the compressed kernel into the same memory space where it will move itself as it uncompresses. This causes the kernel to overwrite itself and become corrupt.
Use 0x81000000 as the load address instead.
Running erase from u-boot is really not recommended. It is easy to make a mistake and erase a vital partition.
Does not work...
setenv serverip 192.168.0.66; setenv ipaddr 192.168.0.86; tftp 0x80060000 sysup.bin
Trying eth0
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Download Filename 'sysup.bin'.
Download to address: 0x80060000
Loading: ################################
##checksum bad
checksum bad
#checksum bad
checksum bad
#############################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
#############################
done
Bytes transferred = 7929856 (790000 hex)
ath> erase 0x9f030000 +0x790000; cp.b 0x80060000 0x9f030000 0x790000;
Erasing flash...
First 0x3 last 0x7b sector size 0x10000 123
Erased 121 sectors
Copy to Flash... write addr: 9f030000
done
tftpboot 0x80060000 kernel
Trying eth0
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Download Filename 'kernel'.
Download to address: 0x80060000
Loading: ################################
################################
################################
################################
################################
################################
################
done
Bytes transferred = 3043948 (2e726c hex)
ath> go 0x80060000
## Starting application at 0x80060000 ...
▒
It is getting stuck at that last step Starting application [...]
Sadly that was not the case. I am still getting the LZMA error even when loading to 0x81000000.
Frankly, this is becoming extremely frustrating. Everything fails for some reason... I think I'll just toss it out of the window (hoping it won't crush anyone's head) and just buy another working device and try with that one
Very strange. Can you try the same procedure with initramfs image (self-compiled or downloaded from downloads.openwrt.org)?
dd if=initramfs.bin of=initramfs.lzma bs=1 skip=$((0x40))
lzma d initramfs.lzma initramfs
Then from bootloader:
tftpboot 80060000 initramfs
go 80060000
Just to check that go command work correctly.
Seems like it does not
U-Boot 1.1.4-g33593293-dirty (Jul 1 2020 - 18:11:57)
ap152 - Dragonfly 1.0
DRAM: 128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 399k for U-Boot at: 87f9c000
Reserving 8256k for malloc() at: 8778c000
Reserving 44 Bytes for Board Info at: 8778bfd4
Reserving 36 Bytes for Global Data at: 8778bfb0
Reserving 128k for boot params() at: 8776bfb0
Stack Pointer at: 8776bf98
Now running in RAM - U-Boot at: 87f9c000
Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash: 8 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
athr_mgmt_init ::done
Dragonfly ----> S17 PHY *
athrs17_reg_init: complete
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
Setting 0x181162c0 to 0x50a02100
factory boot check integer ok.
Hit any key to stop autoboot: 0
---------in uboot mode , enable phy -----
ath>
ath>
ath>
ath>
ath>
ath>
ath>
ath> setenv serverip 192.168.0.66; setenv ipaddr 192.168.0.86
ath> tftpboot 0x80060000 initramfs; go 0x80060000
Trying eth0
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Download Filename 'initramfs'.
Download to address: 0x80060000
Loading: ################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
###############
done
Bytes transferred = 17593847 (10c75f7 hex)
## Starting application at 0x80060000 ...
Could it be due to the fact that when decompressing the initramfs.lzma file, I got an error, or rather a warning (because it created the file) from lzma, saying
lzma: initramfs: File format not recognized
We don't need lzma error 
I've found dump of archer a6 v2 RU. And prepare files for tests:
- openwrt dir contain initramfs prepared from stable release of openwrt-21 and openwrt-22 without lzma errors. Try first.
- dump dir contain full flash dump (for to compare formats) and sysupgrade (
dumpsys.bin) prepared from it.
Flashdumpsys.binto check no CRC error.
That didn't work, still stuck at starting application:
ath> setenv serverip 192.168.0.66; setenv ipaddr 192.168.0.86;
ath> tftpboot 0x80060000 initramfs; go 0x80060000
Trying eth0
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Download Filename 'initramfs'.
Download to address: 0x80060000
Loading: ################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
##############################
done
Bytes transferred = 15931023 (f3168f hex)
## Starting application at 0x80060000 ...
This did not work either. Still CRC error
ath> setenv serverip 192.168.0.66; setenv ipaddr 192.168.0.86; tftp 0x80060000 dumpsys.bin; erase 0x9f030000 +0x78fe1a; cp.b 0x80060000 0x9f030000 0x78fe1a; reset
Trying eth0
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Download Filename 'dumpsys.bin'.
Download to address: 0x80060000
Loading: ################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
################################
#############################
done
Bytes transferred = 7929370 (78fe1a hex)
Erasing flash...
First 0x3 last 0x7b sector size 0x10000 123
Erased 121 sectors
Copy to Flash... write addr: 9f030000
done▒
U-Boot 1.1.4-g33593293-dirty (Jul 1 2020 - 18:11:57)
ap152 - Dragonfly 1.0
DRAM: 128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 399k for U-Boot at: 87f9c000
Reserving 8256k for malloc() at: 8778c000
Reserving 44 Bytes for Board Info at: 8778bfd4
Reserving 36 Bytes for Global Data at: 8778bfb0
Reserving 128k for boot params() at: 8776bfb0
Stack Pointer at: 8776bf98
Now running in RAM - U-Boot at: 87f9c000
Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash: 8 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
athr_mgmt_init ::done
Dragonfly ----> S17 PHY *
athrs17_reg_init: complete
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
Setting 0x181162c0 to 0x50a02100
factory boot check integer ok.
Hit any key to stop autoboot: 0
## Booting image at 9f030000 ...
Image Name: MIPS OpenWrt Linux-3.3.8
Created: 2020-09-24 7:02:38 UTC
Image Type: MIPS Linux Multi-File Image (lzma compressed)
Data Size: 1047787 Bytes = 1023.2 kB
Load Address: 80060000
Entry Point: 80060000
Contents:
Image 0: 1047779 Bytes = 1023.2 kB
Verifying Checksum at 0x9f030040 ...Bad Data CRC
---------in uboot mode , enable phy -----
ath>
Maybe I'm doing something wrong? 
It's very strange.
Really only 2 version: corrupted bootloader or flash is dead (at least part that contain firmware).
First version may be check by reflashing uboot (it's easy to get from dump). And it dangerous without flash programmer.
Second version is hard to detect without reading full dump.
Ok.
- To get bootloader from dump and flash it:
dd if=dump.bin of=uboot.bin bs=64k count=2
and flash it from bootloader command line:
tftpboot 80060000 uboot.bin
erase 9f000000 20000
cp.b 80060000 9f000000 20000
- bootloader allow display data only, for example.:
md 9f030000 200
show (memory display) first 256 byte of firmware. To backup all kernel partition will take too many time 
Or show all command (output of help bootloader command). May be there exist more suitable command.
ADD: sometimes bootloader contain command for calculation CRC of memory. It may simplify flash check.
Just to be sure I don't extract nonsense data, you are talking about the dumpsys.bin file, not about the Dump_ArcherA6v2_ru-up-ver1-3-2-P1[20201126-rel39768].bin in the archive, right?
Yes. dump.bin means full flash dump file Dump_ArcherA6v2_ru-up-ver1-3-2-P1[20201126-rel39768].bin. Simply copy first two 64k (0x10000 in hex) block of dump into beginning of flash. As pointed above:
partition fs-uboot base 0x00000 size 0x20000
Yeah, that completely destroyed the router. It is bricked for good now 
Time to buy a brand new used hardware I guess.
Or buy flash programmer and flash chip to recover.
BTW uboot was compressed. So it's a little chance that it is corrupted. At least it correctly unpacked before start.
The most possible promblem is dead flash (or RAM?).