Re-Stocking TP-link MR200 archer


I have a ISP branded Archer MR200 ( o2-cz), and I followed guides from , and some forum posts.

As I want to flash stock tplink fw, I run these:
strip header:
dd if=O2_latest_archer.bin of="o2.without.hearder.bin" bs=512 skip=1

extract bootloader:
dd bs=512 obs=512 skip=1 count=256 if=o2.without.hearder.bin of=ArcherMR200_bootloader.bin

now strip header from tplink fw:
dd if=tplink_latest_archer.bin of="tplink.without.hearder.bin" bs=512 skip=1
now strip bootloader:
dd bs=512 obs=512 skip=257 if=tplink.without.hearder.bin of=tplink_without_bootloader.bin

combine o2 bootloader with tplink fw:
cat ArcherMR200_bootloader.bin tplink_without_bootloader.bin > ArcherC2V1_tp_recovery.bin

And I'll flash this using TFTP right?

binwalk of my end result:

❯ binwalk ArcherC2V1_tp_recovery.bin

95648         0x175A0         U-Boot version string, "U-Boot 1.1.3 (Aug 16 2018 - 08:45:15)"
131072        0x20000         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3696052 bytes
1441280       0x15FE00        Squashfs filesystem, 

Thanks in advance.

Btw, latest branded fw:
latest tplink:

CC @gurangax sorry to spam you, but I saw you in so many posts about MR200, so I though maybe you'll have a minute for me :slight_smile:

end result bin:

Is this related to openwrt somehow? If you want to install tplink firmware you may have more luck with their forums.

Hi. Yes that is correct steps. Should work.

1 Like

Looks like I bricked it with that fw,
seems like router is still looking for with arp probe in wireshark, but it does nothing after that ... sounds like tftp recovery.

Yeah I have tftp server running in with:

sudo dnsmasq -i en8 -p 0 -z --enable-tftp --tftp-root=$PWD/tftproot/ --tftp-no-blocksize --user=i337562 --group=staff --keep-in-foreground

recovery bin in ./tftproot/

ip adress manually on en8 interface with address and nothing happens

Disabled the firewall?

dnsmasq has allow all connections in firewall, that's probably best I can do, hmm, maybe I'll try setting it on windows.

Yeah, didn't help, actually the router is not looking for with ARP, that's just how ARP works when you preset manually your IP to, so yeah, I believe it is bricked.

To truly de-brand it, wouldn't you also want the TP-Link bootloader?

Generally if the bootloader is corrupted, all the LEDs will come on and stay on at power up (rather than flashing on for a short time) and there will be no output from the serial port. If that has happened, you'll need to use a SPI programmer to rewrite bootloader directly to the flash chip.

Before writing anything to the flash chip, read it and save in a file as there is unit-specific factory data in places. Hopefully that is still there.

I read in some previous topics, that the bootloader needs to be from branded fw.

Current state is, that after start only LED that comes on is from whereever LAN is connected.

I suspect that I didn't extract the bootloader correctly, and thus it's broken now,
@gurangax could you please check my final bin if bootloader is there correctly,
I think you are the most knowledgeable around branded MR200, sorry to bother you again.


I will double check later

I checked, and found that your final bin is different from mine, assuming we used the same firmware as you provided in the links.
Here is the link to the correct final bin

1 Like

Yeah I thought I probably didn't cut it correctly :expressionless:

Anyway, as I don't have any LEDs coming after power on, I guess my only option would be:

that is one option. just remember to do a firmware dump first. the last 3 partitions of the firmware is important

There is another option?