Mercusys mr85x v1.0

Hardware Questions and Recommendations
1

Hello everyone,

The device I bought (08.03.26) came with latest firmware (1.1.0), there is official support for this device, but… that is a stretch, I found only one commit mentioning anything about this model and
my experience differs from the one described by the maintainer who added support for it.

First: there is no UART header per se, there are contact points with very obvious descriptions on the silkscreen - but, after triple checking, some measuring it seems that the console is locked receive mode only. I tried several different USB-2-UART adapters, including FT2232HL (which works in 98 times of 100), Rpi5, Pico2 etc. and I couldn’t get any input through, meaning no uboot CTRL+C or T break (as mentioned in MR85X only commit I found)

Stock firmware is a TPLink orgined 12.0x openwrt fork, with firmware binary blobs for the network interfaces. The firmware can’t be downgraded (officially) - but, the blobs provided from Mercusys are wrapped 3 different ubifs packages: kernel/Initram, rootfs and uboot.

Holding the reset button pressed and pluging power into the router gives you a recovery option, and this allows for an downgrade :smile: ,so I rolled back to the initial 1.0.0 update and now I look through the firmware manufacturers downloaded and extracted .bins (binwalk makes it simple) and try to find what TPLINK f***up as by tradition. It glitched the flashing process, in case of anything going wrong during “upgrade”, it keeps a backup copy for those cases.

https://gist.github.com/inoperable/dac3e97df5970dcc186638c86dedc5d4 - boot log

Did I have some broken unit with the RX pin broken or its locked on some nvram setting?

Any tips would be very appreciated

UPDATE: private RSA key hardcoded in a lua (bytecode) file, how nice :slight_smile:

image
image611×1313 305 KB

2

Kind of you can install once downgraded
x https://github.com/openwrt/openwrt/commit/b2648d89517c05f7b5633e1d79a989c3e5fd011e

1 Like
3

Just a guess: Maybe you have to solder bridge(s)? https://openwrt.org/toh/mercusys/mr90x_v1#serial

You can try mtkuartboot to check if RX is blocked by some nvram setting.

1 Like
4

What do you mean? I downgraded already but feeding the recovery mode anything but a mercusys .bin is a no-go, it checks for some signature and expects a ubifs image.

5

That is what I thought, but I probed the RX / TX line and the signal goes past (no missing reisistor’s on the MR80X)

IMG_20260309_200118
IMG_20260309_2001181920×2560 431 KB

6

Did you get it to work?

7

Not yet, but i’m on it. I actually hack around the recovery web interface now, so it swallows a repackaged openwrt image instead of vendor’s firmware, i’m almost there.

1 Like
8

Bought one today and managed to get it working first try without any issues using a CH340E adapter. Maybe you had bad contact with the 3 contacts? Or one might be broken like you said.

9

So i might really have caught a broken one lol, can you do me a favor and dump your entire firemware somewhere?

10

shot you a dm

11

Prolific Technology, Inc. PL2303 Serial Port / Mobile Phone Data Cable
No bridge to solder and it worked with 1.1.0 firmware

Nothing to report about having uboot shell with CTRL+C

setenv tp_boot_idx 0
saveenv
setenv serverip 192.168.1.2
setenv ipaddr 192.168.1.1

printenv
baudrate=115200
bootargs=ubi.mtd=ubi0 console=ttyS0,115200n1 loglevel=8 earlycon=uart8250,mmio32,0x11002000 init=/etc/preinit
ethaddr=ee:b4:7e:3d:f7:b7
fdtcontroladdr=5ffb4110
ipaddr=192.168.1.1
loadaddr=0x46000000
netmask=255.255.255.0
serverip=192.168.1.2
stderr=serial@11002000
stdin=serial@11002000
stdout=serial@11002000
tp_boot_idx=0

CPU MHz: 1300
Flash MB: 64NAND
RAM MB: 512

NAND 128 MiB

├── boot 2 MiB
├── u-boot-env 1 MiB
├── ubi0 ~50 MiB
├── ubi1 ~50 MiB
├── userconfig 8 MiB
└── tp_data 8 MiB

0x000000000000-0x000008000000 : "spi-nand0" 0x8000000
0x000000000000-0x000000200000 : "boot" 0x200000
0x000000200000-0x000000300000 : "u-boot-env" 0x100000
0x000000300000-0x000003500000 : "ubi0" 0x3200000
0x000003500000-0x000006700000 : "ubi1" 0x3200000
0x000006700000-0x000006f00000 : "userconfig" 0x800000
0x000006f00000-0x000007700000 : "tp_data" 0x800000


ubinfo -a

UBI version:                    1
Count of UBI devices:           2
UBI control device major/minor: 10:256
Present UBI devices:            ubi0, ubi1

ubi0
Volumes count:                           4
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     400 (50790400 bytes, 48.4 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     3
Minimum input/output unit size:          2048 bytes
Character device major/minor:            249:0
Present volumes:                         0, 1, 2, 3

Volume ID:   0 (on ubi0)
Type:        static
Alignment:   1
Size:        10 LEBs (1269760 bytes, 1.2 MiB)
Data bytes:  1143592 bytes (1.0 MiB)
State:       OK
Name:        uboot
Character device major/minor: 249:1

Volume ID:   1 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        35 LEBs (4444160 bytes, 4.2 MiB)
State:       OK
Name:        kernel
Character device major/minor: 249:2

Volume ID:   2 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        42 LEBs (5332992 bytes, 5.0 MiB)
State:       OK
Name:        rootfs
Character device major/minor: 249:3

Volume ID:   3 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        287 LEBs (36442112 bytes, 34.7 MiB)
State:       OK
Name:        rootfs_data
Character device major/minor: 249:4

===================================

ubi1
Volumes count:                           1
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     64 (8126464 bytes, 7.7 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  8
Current maximum erase counter value:     15
Minimum input/output unit size:          2048 bytes
Character device major/minor:            248:0
Present volumes:                         0

Volume ID:   0 (on ubi1)
Type:        dynamic
Alignment:   1
Size:        50 LEBs (6348800 bytes, 6.0 MiB)
State:       OK
Name:        tp_data
Character device major/minor: 248:1

I got a lot more troubles with timeouts for tftp initramfs-kernel firmware transfer
atftpd, dnsmask, tftp-hpa or tftpy same problem until

stop auto negotiation and force 100 Mb/s full duplex :
sudo ethtool -s eth0 speed 100 duplex full autoneg off

@inoperable are you trying to do a mercusys_mr85x-squashfs-factory.bin ?

That would be Handsome :slight_smile:

12

No, that wouldn't work through the recovery, Mercurys uses a weird stitched up ubifs format with signature checks. I thought Ill be able to modify stock firmware and repackaged- but my image gets past the verification initially but never gets written into band, the router just reboots as if it were done but nothing changes.

Do you have an actual serial header on the PCB? I have only those contact points but I can't get anything transmitted to the router, receiving only.

The stock firmware is swiss cheese, nobody sane should run it. If I can't get over that I'll be dumping this unit and grabbing a different one.

Mercurys GPL package can't be compiled or anything, its a mess of custom openwrt with even wierder stuff like make_up that does the signing or so I thought

13

No serial header on the PCB

0
01920×2560 700 KB

1
11920×1572 560 KB