OpenWrt support for TP-Link Deco M4R


In my search for any clue if someone already attempted to build a custom firmware for the M4 i stumbled upon this thread. I've been wanting to build or if already avalible flash/use a custom firmware for a while now but didn't have the time to get started. Your conversation triggerd me to give it a shot.

While this is going to be my first attempt to build or even figure out how to start, i do have a solder iron and the cable mentioned above.. So i'll give it a try today or otherwise tomorrow and see how things go.

p.s (if) there are some/a lot of typos.. when i find my glasses i will correct them... :slight_smile:

1 Like

Opening the device and soldering sadly is the easy part. At least for me. I'm currently hanging at this problem and have no clue how to solve it: Init routine goes into loop when trying to execute ubus with custom image for Deco M4R

1 Like

Okay, I've got the ramfs image working on the deco. :partying_face:

Turns out that the v19.07.8 branch works while neither master nor v21.02 want to let me past that problem with ubus.

Now I have to test actually flashing the device. But before that I have to find out where the "label MAC" is stored. Because the one written on the sticker on the bottom of the device isn't the same MAC as the one in the bootloader. And the 5GHz wifi just uses 12:34:56:78:90:12 which isn't correct either.

About the size of the RAM and Flash: The Flash has 128M which stands for 128Mbit, so 16MByte.
And for the RAM i looked here:
That does say "1Gb". But that too stands for 1Gbit, so 128MByte of RAM.

1 Like

Alright. Next problem: There is no web gui to flash any firmware. If you hold down the reset button while booting the bootloader will start a small http server of its own where you can upload a firmware. But if I do that then this is the result:

U-Boot 1.1.4 (Sep 17 2019 - 20:57:52)

ap152 - Dragonfly 1.0DRAM:
ath_ddr_initial_config(278): (ddr2 init)
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 474k for U-Boot at: 87f88000
Reserving 192k for malloc() at: 87f58000
Reserving 44 Bytes for Board Info at: 87f57fd4
Reserving 36 Bytes for Global Data at: 87f57fb0
Reserving 128k for boot params() at: 87f37fb0
Stack Pointer at: 87f37f98
Now running in RAM - U-Boot at: 87f88000
Flash Manuf Id 0x20, DeviceId0 0x70, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment

Power up PLL with outdiv = 0 then switch to 3
In:    serial
Out:   serial
Err:   serial
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
Net:   No valid address in Flash. Using fixed address
athr_mgmt_init ::done
Dragonfly  ----> S17 PHY *
athrs17_reg_init: complete
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
eth0 up
Setting 0x181162c0 to 0x40802100
Trying eth0
eth0 link down
Trying eth0
eth0 link down
Trying eth0
dup 1 speed 1000
HTTP server is starting at IP:
HTTP server is ready!

Request for: /
Request for: /favicon.ico
## Error: request file name not suport!
Data will be downloaded at 0x80060000 in RAM
Upgrade type: firmware
Upload file size: 4656426 bytes
Loading: ######## (this is longer in reality)

Firmware Recovery file length : 4656426
fw_type_name :
cloud nm_tpFirmwareVerify : 270
[NM_Error](handle_fw_cloud) 00166: Check rsa error.

## Error: HTTP upgrade file check failed!

Trying eth0
HTTP server is starting at IP:
HTTP server is ready!

Most people won't open their device and solder any cables to it, so unless someone finds a solution for this then this device will still be unsupported.

And I doubt that I'm going to find a fast solution for this anytime soon without someone more knowledgeable on the subject.


Okay, I'm giving up with trying to get the firmware on the device via the bootloader recovery. I've looked at other devices and had to realize that I have absolutely no clue how they created recovery images.

I'm going to publish my source code modifications and the resulting ramfs, factory and sysupgrade images on github. But I'm not going to make a pull request because I've got no clue if what I did to the tplink-safeloader.c is correct or not since it's not working with the bootloader recovery.

Another "problem" is that while images based on v19.07.8 are working, images based on v21.02 are not. And I'm not quite sure what to do about that. So no pull request because of that either.

Apart from that everything is working:

  • All three LED colors can be assigned to whatever you want (and can select from the dropdown menu). By default green is just for "power on", red is for when the 2.4GHz is seeing traffic and blue is for when the 5GHz is seeing traffic. Makes the Deco blink between green, yellow, turquoise and white. (But you can switch all of the off if you want.)
  • The ethernet switch is working as expected including VLAN so you can even use the Deco as an actual router by creating two different VLANs with one being untagged on Port 1 and the other being untagged on Port 2. Or you can just use one port with multiple tagged VLANs for an AP with multiple SSIDs (which is what I'm doing).
  • 2.4GHz and 5GHz wifis are working without problems. The 2.4GHz radio tells you it is "Generic 802.11bgn", but from what I've found searching for this that's a cosmetic issue and doesn't impact performance.

I'm going to solder wires to the other two Decos just like I did with the first one to flash them via the serial connection. For me that's enough.

In the next days I'm going to ask for a wiki account so I can document what I did. Opening the device is quite easy and soldering three wires to the board isn't hard either. You just need a screwdriver, a plectrum (or something similar made out of plastic to pop the ethernet port cover), a soldering iron (preferably with a fine tip) and a usb-ttl connector for 3.3v.

And a note about the mesh functionality:
This isn't something made in hardware. So if you flash basic openWRT on a Deco then you of course lose the mesh functionality.
OpenWRT of course supports 802.11s to create an "internal" mesh network between the routers/APs and you can then bridge your wifi network to that. That works if you only have one SSID. But I haven't tried it myself, only read about it here on the forum.

If you have multiple SSIDs like "main" and "guest" then you're going to need batman to be able to create multiple VLANs on top of the 802.11s mesh:
I don't need it since I've got ethernet sockets in every room anyway, so I'm not going to look into this further and this is the most help I can give about this topic.


Plz let us know where we can find your documentation. I am really eager to learn the steps you took to this point.

Hi! Very nice job... Any news for supporting this device?

1 Like

Any news on these? Download the source again now but it seems these things will require some kind of signing on the firmware.. THat's terrible. >:(

I'm currently somewhere between being ill and having too much work at my job, so cleaning up my mess of a code just hasn't happened yet. I will have to see if I can get around to it in the coming weeks.

And a step by step how-to with opening, soldering, reading the UART output correctly and flashing the firmware via the bootloader is much easier said than written. That will take time and will never be something an enduser will be likely to attempt.

There is no way around opening the device and soldering cables to it.

Without knowing the private key from TP-Link to sign the firmware you will never be able to flash OpenWrt without soldering.

So don't buy this device because you think that there will be an easy way to flash it with OpenWrt in the future. That will likely never happen.

Just get three TP-Link Archer C6 V2. That device has the exact same hardware in it as the Deco M4R V1 and V2 and even offers more external ports than the Deco M4Rs. And all that for the same price.

There is also a Deco M4R V3 out there that is based around a Qualcomm IPQ4019, which might be more powerful than the older version. For that the Archer C6 V2 is of course not a direct replacement.

I've created a github repository for my modifications that also includes the compiled firmware I created in August.
Keep in mind that this is provided "as is" without any warranty.

Instructions with photos on how to open the device, solder cables to it and how to flash the firmware will follow, but I don't know when. Maybe this year, maybe next year.

1 Like

There is a web GUI that can flash firmware, but you need to set up your router with the app first. Haven't tested whether it works with OpenWrt firmware.

This web GUI was added in an update, you may need to update your firmware with the app first.

I've added the "factory" version of the firmware to the release on github. If you want to you can try it and tell me if it worked or not.

I'm guessing that this new web interface will very likely also check if the RSA signature is correct. But it's definitely worth a try.

I can't check this myself because all my devices are currently in use.

It didn't work, nothing happens when trying to flash OpenWrt, the router ignores the file.

Now this can have two reasons:

a) I've used the special_id entries and the soft_ver entry from build 20200918 and you've got build 20210916 installed, which came out after I had already flashed my devices via bootloader and didn't have to look into this further. Might very well be that it might work if those are updated. Because sometimes firmwares don't want to be reverted to an older version but maybe reflashing with the same version works.

b) The RSA check is in that gui too and it doesn't matter what special_ids are in the firmware.

I'm not going to investigate this any further since my devices are working with OpenWrt and this is where investing my free time ends.

But if you really want it on your devices without soldering then you might want to ask TP-Link for the sources for their new firmware that they have to publish (upon request) anyway. And there you should be able to check if this new gui performs the RSA check.
And you can of course always replace the special_ids in my code with the ones in the new firmware (just open it up with a text editor like notepad++ and search for "special"), compile the firmware yourself and test that out.

This is correct, the special ids and soft_ver entries were outdated, the latest firmware has new special id entries. This is how the deco entry in tplink-safeloader.c looks after my changes:

/** Firmware layout for the Deco M4R v1 and v2 */
		.id     = "DECO-M4R-V1V2",
		.vendor = "",
		.support_list =
		.support_trail = '\x00',
		.soft_ver = "soft_ver:1.5.2 Build 20210916 Rel. 56193\n",

Extracted from firmware file with hex editor:


soft_ver:1.5.2 Build 20210916 Rel. 56193

I've added the new special ids and changed soft_ver. If you notice discrepancies please tell me.

To be honest: I've got no clue about these. I've included them because everyone else was including them for their TP-Link devices. You have correctly transferred the IDs and the soft_ver, but I can't say if that is right, enough or even the problem.

Good luck and do tell afterwards if it is working or not.

1 Like

For anyone reading that, don't do it. The C6 (and A6) v3+ now use a garbage mediatek chipset thats flaky at best. For testing I brought in 5 of them and they drop the wireless randomly like all the mediatek chipsets too. :frowning:

You're of course right that I should have mentioned the version. What I was talking about is the Archer C6 V2, which really does have the same hardware inside as the Deco M4R V1 and V2.

Meanwhile the Deco M4R V3 has literally the same layout (and the same chips) as the Deco M5 and likely other more recent devices with an ARM SoC inside. For that the Archer C6 V2 is of course no direct replacement.

1 Like

Hi there,
I'm new here. I've come here to share this file. It contains developer/beta firmware for Deco M4R V2. I was facing a problem so a tp-link engineer install this firmware to diagnose the problem. Also, the zip has a portable putty software that can telnet to the router & get access to the terminal directly. This firmware opens a telnet port 23 & you can access this through this putty. This firmware has a WebGUI update feature too. Also, WebGUI shows that "Confidential Only For Test". As it is a beta firmware hope that helps to boost this project.
Zip Link:

1 Like

I tried flashing this but it didn't work, the router won't allow flashing an older version (this is 1.4.3 beta, my router is on 1.5.2) in the WebGUI, didn't try bootloader recovery.

The web gui won't let you downgrade. But the bootloader recovery web gui might let you install whatever you want as long as the RSA signature is okay.