On flashing stock fw:
tl;dr: To flash the device with the stock fw,
printf \\xef\\xcd\\xab\\x89 > /dev/mtdblock8
This will activate web fw recovery on next boot. Upload TP-Link fw via the web interface. The server address will be 192.168.0.1.
Detail:
using sysupgrade to flash the device back to the stock fw wouldn't work for some reason. You'll brick the device and you'll need the serial console to run httpd on the first u-boot.
The first partition of the spi flash contains the boot loader with web server for firmware recovery. The boot loader checks if 4 bytes at the flash address 0x007e0000 is ef cd ab 89. Normally, this section of the flash memory is left untouched(00 00 00 00), so the first boot loader loads the second boot loader, which kickstarts the kernel. If the value is indeed ef cd ab 89, the boot loader assumes that the flashing was not successful and runs httpd program, which allows you to upload firmware to recover the device. You can basically upload any firmware, be it a stock fw or an OpenWrt one.
I figured this out by observing serial output of the stock fw when commencing fw upgrade. one line of the output is:
spiflash_ioctl_write, Write to 0x007e0000 length 0x10000, ret 0, retlen 0x10000
I cut the power to the device before it started to write the uploaded fw and I inspected the contents of spi flash memory by using spi command on u-boot terminal.
The section of the flash memory is exposed as /dev/mtdblock8 on OpenWrt. It starts with a bunch of zeros for the first bytes and then 0xff for the rest of the partition.
I thought someone without access to the serial console would appreciate this... Or you can just create a tftp-recovery image with a stock fw.