RE650 flash via Putty

Hello, i fucked up.

What have i done:

  • bought TP Link RE650 v2

  • Installed OpenWRT

  • to dump to make simple things.

  • flash OEM firmware - Without using Firmwareconverter....

  • can´t boot anymore

  • bougt UART-TTL USB Converter

  • soldert TXDGND/RXD on board an connectet viceversa to the USB.

  • startet Putty (Serial, COM4, 57600, 8:1)

finding the TP LInk in BootLoop:

===================================================================
                MT7621   stage1 code done
                CPU=500000000 HZ BUS=166666666 HZ
===================================================================


U-Boot 1.1.3 (Sep  7 2021 - 19:31:32)

Board: Ralink APSoC DRAM:  128 MB
relocate_code Pointer at: 87fb8000

Config XHCI 40M PLL
******************************
Software System Reset Occurred
******************************
flash manufacture id: ef, device id 40 17
find flash: W25Q64BV
*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Sep  7 2021  Time:19:31:32
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 880 MHZ ####
 estimate memory size =128 Mbytes
#Reset_MT7530
gpioMode Reg: 0x4852c

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.
  • disconnect laptop from Wifi, Connect laptop lan to TP Link
  • set laptop ip to 192.168.0.100
  • setup tfptd to 192.168.0.100 , with the OEM file renamed to test.bin
  • back to putty: typed 2
  • console asks about client ip (192.168.0.254) and Server ip (192.168.0.100) and the filename (test.bin)
    -ENTER

it gets the file, could see some Checksums failed (sry boot it endet in bootloop and this part was gone, this is what i could get:)

###################################################
done
Bytes transferred = 7581119 (73adbf hex)
LoadAddr=80100000 NetBootFileXferSize= 0073adbf
...................................................................................................................
...................................................................................................................
.
.
Done!
## Booting image at bfc20000 ...
text base: ffffffff
entry point: ffffffff
   Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover

aaaand after this i thought, what would the experts do?
So here i am asking, what do i need to do, to get my RE 650 back working?

Some other infos i found:


MT7621 # bdinfo
boot_params = 0x87F57FB0
memstart    = 0x80000000
memsize     = 0x08000000
flashstart  = 0x00000000
flashsize   = 0x00800000
flashoffset = 0x00000000
ethaddr     = 00:00:AA:BB:CC:DD
ip_addr     = 192.168.0.254
baudrate    = 57600 bps

MT7621 # printenv
bootcmd=tftp
bootdelay=1
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=192.168.0.254
serverip=192.168.0.1
stdin=serial
stdout=serial
stderr=serial

Environment size: 151/4092 bytes

Try flashing Openwrt the same way ?

Thank you for your attention.

Sounded simple, but didn´t work either..

At least i got the whole output this time:

2: System Load Linux Kernel then write to Flash via TFTP.
 Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)
 Please Input new ones /or Ctrl-C to discard
        Input device IP (192.168.0.254) ==:192.168.0.254
        Input server IP (192.168.0.1) ==:192.168.0.100
        Input Linux Kernel filename () ==:owrtre650.bin

 NetTxPacket = 0x87FE5C00

 KSEG1ADDR(NetTxPacket) = 0xA7FE5C00

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
TFTP from server 192.168.0.100; our IP address is 192.168.0.254
Filename 'owrtre650.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
Got ARP REPLY, set server/gtwy eth addr (00:e0:4c:68:0b:0b)
Got it
#################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #######Got ARP REQUEST, return our IP
##########################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #####################################
done
Bytes transferred = 6844143 (686eef hex)
LoadAddr=80100000 NetBootFileXferSize= 00686eef
........................................................................................................
........................................................................................................
.
.
Done!
## Booting image at bfc20000 ...
text base: ffffffff
entry point: ffffffff
   Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover

Probably you could ask the guy who wrote Firmwareconverter. He might know about this something. Otherwise a possible but probably quite a difficult way forward is pull the flash chip off the board, read the firmware from the chip, fix it, flash it back and solder the chip back on the board. Unfortunately, every step here is quite involved.

or uboot option 1, and boot the initramfs, then try to sysupgrade,
or just try an older release, see if the LZMA error's there too.

https://downloads.openwrt.org/releases/22.03.0/targets/ramips/mt7621/

got the LZMA error too with 22.03.0, unfortunately the older ones are only listed for hardware version 1...

Regarding Option 1

You choosed 1
                                                                              0


1: System Load Linux to SDRAM via TFTP.
 Please Input new ones /or Ctrl-C to discard
        Input device IP (192.168.0.254) ==:192.168.0.254
        Input server IP (192.168.0.1) ==:192.168.0.100
        Input Linux Kernel filename () ==:owrt_22_03_0initramfs.bin

 NetTxPacket = 0x87FE5C00

 KSEG1ADDR(NetTxPacket) = 0xA7FE5C00

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
TFTP from server 192.168.0.100; our IP address is 192.168.0.254
Filename 'owrt_22_03_0initramfs.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80a00000
Loading: checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
Got ARP REPLY, set server/gtwy eth addr (00:e0:4c:68:0b:0b)
Got it
#################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ##############Got ARP REQUEST, return our IP
###################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ##############
done
Bytes transferred = 5726448 (5760f0 hex)
LoadAddr=80a00000 NetBootFileXferSize= 005760f0
Erasing SPI Flash...
.
Writing to SPI Flash...

done
Automatic boot of image at addr 0x80A00000 ...
## Booting image at 80a00000 ...
text base: 80001000
entry point: 80001000
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80001000) ...
## Giving linux memsize in MB, 128

Starting kernel ...

[    0.000000] Linux version 5.10.138 (builder@buildhost) (mipsel-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r19685-512e76967f) 11.2.0, GNU ld (GNU Binutils) 2.37) #0 SMP Sat Sep 3 02:55:34 2022
[    0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[    0.000000] printk: bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[    0.000000] MIPS: machine is TP-Link RE650 v2
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] VPE topology {2,2} total 4
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000]   HighMem  empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] percpu: Embedded 15 pages/cpu s30256 r8192 d22992 u61440
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32480
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[    0.000000] Writing ErrCtl register=00036801
[    0.000000] Readback ErrCtl register=00036801
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 116592K/131072K available (7001K kernel code, 628K rwdata, 824K rodata, 4204K init, 243K bss, 14480K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Hierarchical RCU implementation.
[    0.000000]  Tracing variant of Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[    0.000000] NR_IRQS: 256
[    0.000000] CPU Clock: 880MHz
[    0.000000] clocksource: GIC: mask: 0xffffffffffffffff max_cycles: 0xcaf478abb4, max_idle_ns: 440795247997 ns
[    0.000012] sched_clock: 64 bits at 880MHz, resolution 1ns, wraps every 4398046511103ns
[    0.015855] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4343773742 ns
[    0.033802] Calibrating delay loop... 586.13 BogoMIPS (lpj=2930688)
[    0.106111] pid_max: default: 32768 minimum: 301
[    0.115421] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.129822] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.147970] rcu: Hierarchical SRCU implementation.
[    0.157759] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[    0.173303] smp: Bringing up secondary CPUs ...
[    0.183006] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.183016] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.183027] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.183101] CPU1 revision is: 0001992f (MIPS 1004Kc)
[    0.243115] Synchronize counters for CPU 1: done.
[    0.304689] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.304698] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.304705] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.304750] CPU2 revision is: 0001992f (MIPS 1004Kc)
[    0.363926] Synchronize counters for CPU 2: done.
[    0.424247] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.424255] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.424263] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.424313] CPU3 revision is: 0001992f (MIPS 1004Kc)
[    0.483500] Synchronize counters for CPU 3: done.
[    0.543109] smp: Brought up 1 node, 4 CPUs
[    0.555226] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.574729] futex hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.588543] pinctrl core: initialized pinctrl subsystem
[    0.601203] NET: Registered protocol family 16
[    0.611095] thermal_sys: Registered thermal governor 'step_wise'
[    0.612348] cpuidle: using governor teo
[    0.670826] clocksource: Switched to clocksource GIC
[    0.682455] NET: Registered protocol family 2
[    0.691451] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.706876] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 6144 bytes, linear)
[    0.723536] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.738658] TCP bind hash table entries: 1024 (order: 1, 8192 bytes, linear)
[    0.752647] TCP: Hash tables configured (established 1024 bind 1024)
[    0.765403] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.778290] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.792396] NET: Registered protocol family 1
[    0.800958] PCI: CLS 0 bytes, default 32
[    4.489145] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[    4.506069] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    4.517563] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    4.537894] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[    4.554192] mt7621_gpio 1e000600.gpio: registering 32 gpios
[    4.565545] mt7621_gpio 1e000600.gpio: registering 32 gpios
[    4.576869] mt7621_gpio 1e000600.gpio: registering 32 gpios
[    4.588793] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    4.605734] printk: console [ttyS0] disabled
[    4.614203] 1e000c00.uartlite: ttyS0 at MMIO 0x1e000c00 (irq = 19, base_baud = 3125000) is a 16550A
[    4.632119] printk: console [ttyS0] enabled
[    4.632119] printk: console [ttyS0] enabled
[    4.648660] printk: bootconsole [early0] disabled
[    4.648660] printk: bootconsole [early0] disabled
[    4.670487] spi-mt7621 1e000b00.spi: sys_freq: 220000000
[    4.682657] spi-nor spi0.0: s25fl064k (8192 Kbytes)
[    4.692504] 4 fixed-partitions partitions found on MTD device spi0.0
[    4.705151] Creating 4 MTD partitions on "spi0.0":
[    4.714702] 0x000000000000-0x000000020000 : "u-boot"
[    4.725601] 0x000000020000-0x0000007c0000 : "firmware"
[    4.737211] 0x0000007c0000-0x0000007ed440 : "config"
[    4.748149] 0x0000007f0000-0x000000800000 : "radio"
[    4.802668] mt7530 mdio-bus:1f: MT7530 adapts as multi-chip module
[    4.817455] mtk_soc_eth 1e100000.ethernet: generated random MAC address 2e:50:36:56:03:6e
[    4.834559] mtk_soc_eth 1e100000.ethernet eth0: mediatek frame engine at 0xbe100000, irq 21
[    4.852091] i2c /dev entries driver
[    4.861649] mt7621-pci 1e140000.pcie: host bridge /pcie@1e140000 ranges:
[    4.875035] mt7621-pci 1e140000.pcie:   No bus range found for /pcie@1e140000, using [bus 00-ff]
[    4.892557] mt7621-pci 1e140000.pcie:      MEM 0x0060000000..0x006fffffff -> 0x0000000000
[    4.908862] mt7621-pci 1e140000.pcie:       IO 0x001e160000..0x001e16ffff -> 0x0000000000
[    4.925255] mt7621-pci 1e140000.pcie: Parsing DT failed
[    4.937961] NET: Registered protocol family 10
[    4.948511] Segment Routing with IPv6
[    4.955936] NET: Registered protocol family 17
[    4.964897] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    4.991072] 8021q: 802.1Q VLAN Support v1.8
[    5.002861] mt7530 mdio-bus:1f: MT7530 adapts as multi-chip module
[    5.050305] mt7530 mdio-bus:1f lan (uninitialized): PHY [mt7530-0:00] driver [MediaTek MT7530 PHY] (irq=26)
[    5.074663] mt7530 mdio-bus:1f: configuring for fixed/rgmii link mode
[    5.091524] DSA: tree 0 setup
[    5.097730] rt2880-pinmux pinctrl: pcie is already enabled
[    5.108765] mt7621-pci 1e140000.pcie: host bridge /pcie@1e140000 ranges:
[    5.122140] mt7621-pci 1e140000.pcie:   No bus range found for /pcie@1e140000, using [bus 00-ff]
[    5.139670] mt7621-pci 1e140000.pcie:      MEM 0x0060000000..0x006fffffff -> 0x0000000000
[    5.155992] mt7621-pci 1e140000.pcie:       IO 0x001e160000..0x001e16ffff -> 0x0000000000
[    5.172375] mt7621-pci-phy 1e149000.pcie-phy: PHY for 0xbe149000 (dual port = 1)
[    5.187453] mt7621-pci-phy 1e14a000.pcie-phy: PHY for 0xbe14a000 (dual port = 0)
[    5.202464] mt7621-pci 1e140000.pcie: failed to parse bus ranges property: -22
[    5.317122] mt7621-pci-phy 1e149000.pcie-phy: Xtal is 40MHz
[    5.328237] mt7621-pci-phy 1e14a000.pcie-phy: Xtal is 40MHz

then it froze. i let it for 5 min until i switched it off.

now it won´t download any other .bin -> Timeout. Although it statet ETH is aktive

but now it remembers the filename and the Server IP, before i had to change it everytime ..suspicious...

is there another easy to use tftp server? to check things out

Looks like it started booting. I don't see lzma error in that log. I think, maybe the other file you were trying to flash got corrupted while downloading and that's where lzma error comes from? Did you check its integrity?

All 4 .bin files gave the exact SHA256 Checksum back like listed on the releases site.
22.03.0 initramfs.bin is shown in tftpd with 5726448 bytes

Tried once again the 22.03.0 initramfs.bin and got an lzma error.

Furthermore im only once cabable of sending an .bin
Every try after this im getting Timeout. Even with everything plugged out inbetween.

I will try this a few more day and then it will hit the bin.

If someone knows a detail im not getting, i will apreciate it.

The inconsistent behavior is strange, as well as LZMA errors. This kinda suggests either damage to the board, or bad connection. IMO.

Probably makes sense to make sure that the connection between your UART-TTL converter and the board is correct and good, and that the cable is short (long cable may pick up interference).
Also inspect the board, just in case, for knocked off components or other damage.

bad UART connection won't generate an LZMA error for a file transferred via ethernet.

Ah, that makes sense. Then possibly bad ethernet connection?

1 Like

Today i got it completed.

I don´t know why it failed, but on the third PC with different LAN cable it worked.

After every Fail i had to wait for 10 min with disconnectet Powerplug/ Uart/ Lan cable!

sometimes it booted until the phrase "40mhz" and freezed.

The one time it worked it was in this order:

download

go to https://argsnd.github.io/tp-link-stock-firmware-converter/
upload RE650(EU)_V2_211130.bin and it should download automatically our openwrt usable stockfirmware image.bin

buy an UART https://amzn.eu/d/3nMeG7v

Solder TXD/GND/RXD like this picture https://openwrt.org/toh/tp-link/re650_v2#serial
re650_v2_pcb

Connect GND-GND/ TXD-RXD / RXD-TXD

put in the uart stick, wait for windows to finishe driver and look in gerätemanager for your com port.

start putty in serial mode, my com Port was COM3 and for RE650 v2 speed is 57600

deactivate Wifi adapter on Laptop (Windows), Deactivate DHCP on Lan and set ip to 192.168.0.100, 255.255.255.0

Connect LAN cable between laptop and RE650
connect RE650 to PowerPlug,
watch putty window and break boot loop by pressing 1 (System Load Linux to SDRAM via TFTP)

start tftpd and host the folder with the bin files, using the adatper 192.168.0.100

back to putty
enter 192.168.0.254 for re650 ip
enter 192.168.0.100 for tftp host/laptop ip
enter tplink_re650-v2-initramfs-kernel.bin for name

enter and don´t touch anything, not even the table.
even with bad checksums it processes to reboot (estimatet time=2 minutes)
if you think it freezed, press enter. OPENWRT logo should appear in putty.

keep putty window open in background

enter Lan adapter setting and activate DHCP

run windows commandline (win+r ; cmd) with command ipconfig
look for standartgateway ip ... maybe 192.168.1.1

open browser and enter this ip

luci should open.
flash new firmware and take tplink_re650-v2-squashfs-factory.bin
don´t remember any settings or backups.

it should reboot.

open again the re650 ip to luci
flash firmware using our converted openwrt usable stockfirmware image.bin
dont´remember any settings, force image flashing

it will reboot, wait 3 min.

finished.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.