this is supposed to modify a string in the bootloader. the bootloader reads from flash to boot kernel by using this command internally: sf probe &&sf read 0x%x 0x%x 0x%x &&
if you've noticed, there are template values in that string (the %x). me and naf could not get this to work / find where it sources these values during testing, so they had the clever idea to hardcode the memory addresses
replacing said string with sf probe &&sf read 0x84000000 0x1020000 0xfe0000 && will work great, but said string is longer than the previous string, so we have to steal space from a help message (hence the length modification in the previous line)
unfortunately diffing this and the old one shows no results. it also looks in the log as if the really long line was clipped or something? maybe that's just the copy pasting from terminal but idk
perhaps save the script to a file with a proper text editor on the tftp server and then download it through there to avoid anything?
/tmp # vi extract.sh
/tmp # chmod +x extract.sh
/tmp # ./extract.sh
copying mtd8 to tmp
1024+0 records in
1024+0 records out
patching /tmp/mtd8.bin
2+0 records in
2+0 records out
189+0 records in
189+0 records out
patched bootloader is at /tmp/mtd8.bin
/tmp #
/tmp # tftp -pl mtd8.bin 192.168.1.44
mtd8.bin 100% |*********************************************************************************************| 512k 0:00:00 ETA
/tmp #
While this method indeed works for deco m4r's, from my experience there is way too much instability on the wireless network for the switch to openwrt to be worth it. Been at this for at least 6 months with countless research and infinite trials and errors. I don't think this is for people who want a seamless roaming setup with a single SSID as it has too many issues. Will unfortunately revert back to the stock spyware because of this.
I have three M4Rs and 5 other access points with the same chip set running openwrt with a single SSID for my private network and a separate SSID with its own VLAN for a hotspot. The backhaul is done via Ethernet cable. And I have zero issues with this setup.
I can run around on my property while streaming or making a video call via WiFi and the handover between access points isn't noticeable.
So care to elaborate what kind of instability you're encountering?
Sure, I have an ER605v2 as my main wired router and two deco m4r's configured as dumb ap's (both of them are ethernet backhauled). During the initial setup where I enabled 802.11kvr and other related stuff that was only available on the web interface, I have had several deadzones inside my house where it did not make sense, using iperf3 I was able top confirm that these deadzones had 0 mbps even though it was not that far away from the AP, I tried to tweak with the dbm of both bands on both ap's but it did not seem to have helped (albeit I realized later in my journey that implementing the lowest possible dbm yields the best results on a multiple ap setup).
I also have had issues with rapid disconnection which took a while to fix and it was to untick disassociate on low ack. After this I again tried to tweak with the dbm settings which seemed to have helped with roaming but I still could not fix the deadzone issues and poor performance I was seeing on anything other than being very close to the AP's. I searched for the 5 GHz bands name and stability issues on Openwrt and turns out even though it's not documented properly the internals of the Archer C6 v2 and Deco M4R v2's seem to be essentially the same and it is stated in the archer wiki that:
Warning The 5 GHz radio / Qualcomm Atheros QCA9886 support seems to be buggy in some cases.
Some users report much improved long-term stability with 5 GHz by using the ath10k firmware instead of the ath10k-ct firmware. To do this remove the packages âkmod-ath10k-ctâ and âath10k-firmware-qca9888-ctâ and instead install âkmod-ath10kâ and âath10k-firmware-qca9888â.
So I tried this suggestion and it did help a lot. But it was still too unstable as some spots would get less than 10 mbps (which again did not make sense because i was getting around 300 on the default firmware in the exact spot). So asked around on Reddit and they recommended me to try DAWN or usteer. Usteer did not work particularly well but DAWN worked like a charm for me. And I thought this torture was finally over.
But then the APs started to have this weird disconnection issue where the stationary client would suddenly lose connection in all but name, the iperf test would not even connect and this issue did not go away until you stopped and restarted the clients wifi service. This happened on almost all mobile phones regardless of OS or its age. I tried a lot of solutions for this but none seemed to have worked which brought me here to today where my family members rightfully said enough as all of our mobile data was used up because of these instabilities.
Hopefully using mine and other people's experiences we can make a comprehensive guide for a setup for other newcomers but until TP-Link stops dropping security updates for this thing I will be using them in their default firmware on AP mode. The ER605v2 is still running Openwrt which is an okay compromise for me personally.
Would be more than happy to share more of the technical details if you are interested.
I have successfully managed to receive the GPL source for the Deco M4 v3 (clicking link does not download but copping the link and opening in new tab works for some reason) from TP-Link . Doing a diff on it when compared to the Deco M5 GPL source primarily looks like some led config changes, comments and very few minor changes along with dir path restructuring.
so from this and a bit of my previous research on the other tp-link devices with the same soc(ipq4019) , it looks like they sold a bunch of different models sometimes with literally just a different brand of flash chip used or maybe added Bluetooth or maybe physical antenna connected to the pcb and using minor tweaks in software to give them various capabilities even though all of them are essentially the same device .
Thanks to @naf , @bobthebuilder and @caeklol for all the insights and the work done so far , i have successfully been able to build openwrt from the main branch with the help of their work but due to the dual slot firmware nature of the deco m4 v3 and since the default kernel partitions for slot 0 and slot 1 are both only 3.5 mb(modern openwrt build's need atleast 4.2MB,smallest i could get it to with custom kernel config). This results in forcing us to use one of the slots for openwrt in case stock recovery capability is required, the max combined patition size available is 15.625Mb(combining the slot 1 kernel +slot 1 rootfs + extra 256kb of unused/unpartitioned space after rootfs). With all this said my current build's are sitting at around 12MB with all the features i need (batman-adv, radius auth, hardware accel for for ipq4019(main soc) and qca8072(gigabit ethernet), luci dashboard, vlan,qos ,bufferbloat optimisation and a couple more), but the thing is i need to give it a custom build config and since the ipq4019 src currently has 3 subtargets defined (chrome, microtik and generic) , i added my target config under generic but had to modify the generic config-default to achieve this(which will effect all other devices defined under generic as well). So i looked into adding a new subtarget but could not find any reliable or properly documented source's for this.
i tried creating a new subtarget dir and updating the ipq40xx Makefile with the subtarget and this does add it(and make it available in the make menuconfig) but the config-default from the new subtarget does not get picked up automatically like with the other subtargets.
So if anyone has info on or knows the proper way to adding new subtargets and subtarget profiles such that specifying a target in firmware make cmd utilizes the config-default of the new subtarget ,i would really appreciate it .
OR
if i am wrong in trying to define a custom config for the device and it should just be the default generic one instead,since almost all targets i looked at were using the basic default config, please let me know . ( end users choice in what config they want and have to build it themself and all targets in the repo should use basic config to get the device up and running and then let the user choose ?)
itâs been a while! apologies for the delay, my deco is my main router and i havenât been able to risk modding it recently . also i kind of forgot
looking good! also i meant editing the script on your computer, then downloading it through tftp but that works too
you should be able to write this and boot
if all goes well, you'll boot into stock fw! you can then await for me to cross-compile flashcp(recommended)
alternatively, if anyone wants the method naf and i used for booting into openwrt, we modded the built-in nvrammanager binary like so:
then you should just be able to upload the openwrt sysfactory image (compiled with the firmware-utils fork) through the web interface! naf didnât suggest this cause its not as clean but i personally like it. anyway iâll have to cross compile flashcp either way for a cleaner solution. iâll hopefully phrase the instructions better after that
from my understanding of openwrt the factory configuration should be the bare minimum / mimicking stock fw (idk. someone more openwrt experienced please chip in?). for my config (caeklol/openwrt, branchopenwrt-24.10) that meant leds, lan/wan and nothing else. and then you make changes via LuCI / uci
yep i noticed that! i copied most of my config from the m5 commit. so much that my commit message for my fork was actually named after m5 and not m4r v3. whoops.
No clue about 802.11s since all my APs are wired. But I would expect that it should have normal speeds just like in AP mode. I doubt that you can run AP mode and 802.11s at the same time on the same radio without the quality degrading too much.
I tried flashing My deco M4 V4 through the Uboot page and it seems to work but after the page reloads and I reset the IP settings to DHCP it wont find my Deco unit.
IPconfig keeps going back to default nothing found range of 169.254.. and the Deco unit is just showing a solid green light.
I flashed using the Factory.bin file from this link Index of /releases/23.05.2/targets/ramips/mt7621/
What am I doing wrong, or what step am I forgetting?
Thanks, but I get the same result. Firmware seems to install correctly but then after a reboot and setting my IP adres to DHCP it only finds 169.254.32.32.
Even a Ping of the IP range comes up to nothing.
I feel like I'm missing a step or something. Does the V4 need the TFTP upload, doesn't seem like it when using the Uboot page
Well nevermind, changing my IP settings to 192.168.1.2 and then going to the Luci page on 192.168.1.1 seems to do the trick.
Quick and stupid question. I have 3 M4R v2 and 2 M4R v3 - has anyone been able to get a build of the V3? i am happy to test. I am currently in the process of flashing the V2 to replace a set of dodgy AX23s.
On a V3 Deco, after you open the lock, you build an image from source using caeklol's github repo.
I'm currently on 24.10.6.
I tried to build 25.12, but that failed with errors. The biggest one might be [401-mtd-spi-nor-xmc-add-xm25qh256.patch], because -it seems- the original file, xmc.c changed. I don't have the background to correct for this change.
24.10 already is a giant leap forward as the TP-link fw is based on linux kernel 3.14 (compared to 6.6 in Openwrt 24.10).
Thanks caeklol and naf419!
. also i kind of forgot
