Porting Firmware to TP-Link Archer C20 v5

poridge · April 18, 2019, 6:28am

I read from the following post that the V5 has similar hardware as the v4, so I thought there might be a chance for my v5 to transform.

It seems the most of the hardware's are the same. Does it mean I should be able to directly use the firmware for v4 to flash my v5?

Any hardware checking needed before installing? Any changes needed on the firmware to fit my device?

From the installation instruction, it seems safe to do experiments, since it is said that you can always flash the stock firmware if anything goes wrong.

I do not mind doing trivial experiments on my device or modifying codes. More advice or detailed instructions would always help, since I am quite new to this firmware stuff.

anon50098793 · April 18, 2019, 6:37am

-Get serial and boot an initramfs
-Backup everything
-Compare the DTS for v4 with the DTS / dmesg from your current device. ( partition layout )

I notice no serial for your device in that table.... 1 and 2 can be done over ssh / telnet if you can get it. You'll be playin roulette without serial when it comes to testing though. Maybe someone here can help you? In any event, check for similarities with V4.

Go from there..... post the flash layout from a bootlog ( terminal dmesg or serial ) here in code tags and a kind soul might help ya )

NOTE: Power spec in that table is a little ODD.... I wonder if it's under clocked.... missing usb?

poridge · April 18, 2019, 4:53pm

I opened it up. It seems to have similar holes for serial as in the v4. I will try to get a cable for that. Mean while, I might need to learn and prepare this new stuff and to find the result from a v4.

How do I do a "boot an initramfs"? Is it a command issued through serial?

anon50098793 · April 18, 2019, 4:56pm

If you get serial.....

a) press escape key to interrupt normal boot

b) work out what the right command is to load it
( it's one file.... kernel, dtb, rootfs all in one )
usually from tftp but usb is also handy

paste output of
> printenv
if you need help.... 

edit wiki page lists example for v4
tftp 0x80060000 initramfs.bin 
( load from network to ram )
then something like
bootm 0x80060000
( execute at that memory address aka start )

c) obtain... check the downloads / buildroot for an initramfs image

d) fire that baby up!

it run's in ram... so there is no harm in you booting v4.

None here: http://downloads.openwrt.org/releases/18.06.2/targets/ramips/mt76x8/

You'll need to compile one in the buildroot.... simple enough and virtually your next step in the process anyway......

https://openwrt.org/toh/tp-link/tp-link_archer_c20_v4

If you get a bootlog your comparing to v4... this bit

[    0.677684] spi-mt7621 10000b00.spi: sys_freq: 193333333
[    0.690872] m25p80 spi0.0: gd25q64 (8192 Kbytes)
[    0.695608] 4 fixed-partitions partitions found on MTD device spi0.0
[    0.702108] Creating 4 MTD partitions on "spi0.0":
[    0.706986] 0x000000000000-0x000000020000 : "boot"
[    0.712761] 0x000000020000-0x0000007c0000 : "firmware"
[    0.768575] 2 tplink-fw partitions found on MTD device firmware
[    0.774609] 0x000000020000-0x0000001977ac : "kernel"
[    0.780591] 0x0000001977ac-0x0000007c0000 : "rootfs"
[    0.786391] mtd: device 3 (rootfs) set to be root filesystem
[    0.793480] 1 squashfs-split partitions found on MTD device rootfs
[    0.799827] 0x000000380000-0x0000007c0000 : "rootfs_data"
[    0.806184] 0x0000007c0000-0x0000007d0000 : "config"
[    0.812122] 0x0000007d0000-0x000000800000 : "factory"

anon50098793 · April 18, 2019, 5:24pm

here is a binwalk of the two model OEM bins.... promising.... note the different uboot addresses

# binwalk -e v4.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
82512         0x14250         U-Boot version string, "U-Boot 1.1.3 (Jan  3 2019 - 14:36:02)"
132096        0x20400         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3642448 bytes
1442304       0x160200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5397244 bytes, 683 inodes, blocksize: 131072 bytes, created: 2019-01-03 06:44:20

# binwalk -e v5.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
80960         0x13C40         U-Boot version string, "U-Boot 1.1.3 (Dec 13 2018 - 09:07:10)"
132096        0x20400         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3642448 bytes
1442304       0x160200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5150316 bytes, 742 inodes, blocksize: 131072 bytes, created: 2018-12-13 01:16:29

Flash command WARNING DO NOT USE!!!

v4
tftp 0x80060000 tp_recovery.bin;erase tplink 0x20000 0x7a0000;cp.b 0x80080000 0x20000 0x7a0000
reset
v5
tftp 0x80060000 tp_recovery.bin;erase tplink 0x20000 0x7a0000;cp.b 0x80080000 0x20000 0x7a0000
reset

serverip 192.168.0.66
v4 jenkins-SOHOI_MTK_MEDIUM_ROUTER-90
v5 jenkins-SOHOI_MTK-1131

So it looks like the partitions are similar.... but they use different bin magic... / headers.....

That is probably the only thing to devise.... That would be to install.... via oem interface.... ( full support )

Either way.... you'll be able to run the initramfs from tftp to test drive.....

poridge · April 23, 2019, 7:18am

Got the serial messages out of the v5

I have trouble interrupting the factory boot up sequence. It does not respond to any keyboard input. I have set the "flow control" to none, "local line editing" to "force on". It seems the device does not wait for any input.

U-Boot 1.1.3 (Dec 13 2018 - 09:07:10)

Board: Ralink APSoC DRAM:  64 MB
relocate_code Pointer at: 83fb8000
gpiomode1 55054404.
gpiomode2 00000000.
gpiomode2 05550555.
flash manufacture id: ef, device id 40 17
find flash: W25Q64BV
============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Dec 13 2018  Time:09:07:10
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 580 MHZ ####
 estimate memory size =64 Mbytes
RESET MT7628 PHY!!!!!!
continue to starting system.                                                  0
disable switch phyport...

3: System Boot system code via Flash.(0xbc050000)
do_bootm:argc=2, addr=0xbc050000
## Booting image at bc050000 ...
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8000c150) ...
## Giving linux memsize in MB, 64

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 2.6.36 (jenkins@mobile-System) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #1 Thu Dec 13 09:09:48 CST 2018

 The CPU feqenuce set to 580 MHz

 MIPS CPU sleep mode enabled.
CPU revision is: 00019655 (MIPS 24Kc)
Software DMA cache coherency
Determined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: console=ttyS1,115200 root=/dev/mtdblock2 rootfstype=squashfs init=/sbin/init
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=00073b0e
Readback ErrCtl register=00073b0e
Memory: 61072k/65536k available (2711k kernel code, 4464k reserved, 679k data, 168k init, 0k highmem)
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop... 386.04 BogoMIPS (lpj=772096)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
RALINK_GPIOMODE = 55054404
RALINK_GPIOMODE = 55044404
***** Xtal 40MHz *****
start PCIe register access
RALINK_RSTCTRL = 2400000
RALINK_CLKCFG1 = fdbfffc0

Out of the long boot log, I found a part that seems to be describing the partitions:

flash manufacture id: ef, device id 40 17
W25Q64BV(ef 40170000) (8192 Kbytes)
mtd .name = raspi, .size = 0x00800000 (8M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 7 MTD partitions on "raspi":
0x000000030000-0x000000050000 : "boot"
0x000000050000-0x000000190000 : "kernel"
0x000000190000-0x0000007c0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
0x0000007c0000-0x0000007d0000 : "config"
0x0000007d0000-0x0000007e0000 : "romfile"
0x0000007e0000-0x0000007f0000 : "rom"
0x0000007f0000-0x000000800000 : "radio"
Register flash device:flash0

Will this help?

At the mean time, I am trying to compile an initramfs image myself, but I doubt it would help if I cannot get the boot up stopped.

anon50098793 · April 23, 2019, 8:44am

I have set the "flow control" to none

There are two...;

SW and HW > both none
toggle the CR + LF options

perhaps it's not sending newline....

then there is;

ESC, 4, tpl tpl tpl.... etc. etc.

and

ls -la /dev/ttyU*

poridge · April 24, 2019, 1:52am

Got the initramfs.bin now, but still struggling to stop the bootup at the beginning.

tpl
/bin/sh: tpl: not found
printenv
/bin/sh: printenv: not found

It seems that the serial should be working, but it only responded after booting up the linux kernal.

slh · April 24, 2019, 2:11am

"tpl" is (only) used at the bootloader stage, mostly intended as a password to enter the u-boot shell (and avoid accidental boot interruptions/ casual users from entering it). Similarly "printenv" is used from the running bootloader shell (not the system shell, once booted up), to display the u-boot variables.

poridge · April 24, 2019, 5:17am

Then my understanding seems to be correct. I intended to use these commands at the bootloader stage.

The story is that "tpl" does not interrupt the bootup. So the TTL Serial communication interface is suspected. But I later found out that it responded after the linux booted up. Does this mean that the Serial interface is setup correctly?

continue to starting system.                                                  0

Or this count down at the bootloader stage is too quick for any input?

poridge · April 24, 2019, 5:50am

Never mind my last reply. It seems working now.

After I transferred and ran the initramfs.bin, this came up.

MT7628 # bootm 0x80060000
do_bootm:argc=2, addr=0x80060000
## Booting image at 80060000 ...
   Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover
[04010C0E][04010D09]
DDR Calibration DQS reg = 00008987

Is there any wrong when I am compiling this image file? Same error happens when I am loading it with the official bin file.

edit: I found an initramfs for the v4 "openwrt-ramips-mt76x8-tplink_c20-v4-initramfs-kernel.bin" and still the same error.

slh · April 24, 2019, 5:52am

It's usually a fairly narrow window during which you can interrupt the bootloader (in the general range of one second).

anon50098793 · April 24, 2019, 12:37pm

try

bootz

so the correct uboot break sequence for the device is?

poridge · April 25, 2019, 2:17am

I just typed "4"

switch BootType:

4: System Enter Boot Command Line Interface.

U-Boot 1.1.3 (Dec 13 2018 - 09:07:16)
MT7628 #

bootz is not recognized.

MT7628 # help
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
erase   - erase SPI FLASH memory
go      - start application at address 'addr'
help    - print online help
start www server for firmware recovery
loadb   - load binary file over serial line (kermit mode)
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
nm      - memory modify (constant address)
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
spi     - spi command
tftpboot- boot image via network using TFTP protocol
version - print monitor version
MT7628 #

I tried "tftpboot", but it seems that it only did what "tftp" does, loading the file to an address and then stopped there.

Does it have anything to do with the options when I config the .bin with "make menuconfig"?

mbo2o · April 25, 2019, 2:53am

Could be simalar issue

poridge · April 25, 2019, 6:13am

Thanks for the replay.

I checked all the .bin I have with me and all seems to be V2 header?
Capture

I will try to compile again with a similar line in your link:

KERNEL_INITRAMFS := kernel-bin | patch-cmdline | lzma | tplink-v3-header

poridge · April 25, 2019, 6:26am

define Device/tplink_c20-v4
  $(Device/tplink)
  DTS := ArcherC20v4
  IMAGE_SIZE := 7808k
  DEVICE_TITLE := TP-Link ArcherC20 v4
  TPLINK_FLASHLAYOUT := 8Mmtk
  TPLINK_HWID := 0xc200004
  TPLINK_HWREV := 0x1
  TPLINK_HWREVADD := 0x4
  TPLINK_HVERSION := 3
  DEVICE_PACKAGES := kmod-mt76x0e
endef
TARGET_DEVICES += tplink_c20-v4

The codes already in the file is like this.

I am adding one more section to it:

define Device/tplink_c20-v5
  $(Device/tplink)
  DTS := ArcherC20v4
  IMAGE_SIZE := 7808k
  DEVICE_TITLE := TP-Link ArcherC20 v5
  TPLINK_FLASHLAYOUT := 8Mmtk
  TPLINK_HWID := 0xc200005
  TPLINK_HWREV := 0x1
  TPLINK_HWREVADD := 0x5
  TPLINK_HVERSION := 3
  KERNEL := kernel-bin | patch-cmdline | lzma
  KERNEL_INITRAMFS := kernel-bin | patch-cmdline | lzma | tplink-v3-header
  DEVICE_PACKAGES := kmod-mt76x0e
endef
TARGET_DEVICES += tplink_c20-v5

But this gives an error at compile.

Makefile:165: *** Missing Build/tplink-v3-header.  Stop.

Any one know where I can get this compiled?

anon50098793 · April 25, 2019, 9:53am

Linux (at address 8000c150) ... ( < loaded into 8000000 )

aka

MT7628 # bootm 0x80060000 < = too high for uboot?

http://hobby.sli.pl/router/mr200v2-router.txt
https://wikidevi.com/wiki/TP-LINK_Archer_MR200
https://openwrt.org/toh/tp-link/archer-mr200

https://www.google.com.au/search?q="Transferring+control+to+Linux+(at+address+8000c150)+..."&oq="Transferring+control+to+Linux+(at+address+8000c150)+..."

poridge · April 26, 2019, 1:22am

that does not help.

seems like a bin file issue to me. maybe the uboot of this v5 will do some sort of checking preventing this kind of files to bootup? the previously mentioned v3-header issue seems a good way to start, but I cannot find this v3-header support at compiling the binary.

from this page, it seems it is using v3 header.
https://github.com/xdarklight/mktplinkfw3

but the header part of my own bin is also 0x03000000?

powo01 · April 26, 2019, 7:18am

please compare the Kernel Entry Point in the Original Header with the values inside the Openwrt Image Header. I have to set this values manual at a Archer D7 V1.

Example for Archer D7 ( using the same header )

IMAGE/sysupgrade.bin := tplink-v2-image -s -a 0x400 -L 0x80060000 -E 0x80060000 | \
        append-metadata | check-size $$$$(IMAGE_SIZE)