[Solved] Bricked my Archer C7 V2.0


#1

Hello Gents,

So it looks like I just bricked my Archer C7 (US) V2.0 (serial starting 216b). I bought it because I wanted to flash it to monitor bandwidth and also attached USB disks. Here is what happened:

1- Router was updated to latest official firmware (ArcherC7v2_en_us_180114).
2- I flashed it to OpenWRT 18.06.1 via web interface (had to put dd-wrt first). both worked, but I found that installing the packages for bandwidth monitoring and NTFS USB access difficult, so had to look for other options.
3- I flashed gargoyle_1.10.0 via web. it worked, but I had issues with WAN port. Was not sure if it's a software or hardware, so wanted to go to stock.
4- I tried flashing the stripped stock via Gargoyle web interface. Sadly the file uploaded but nothing happened.
5- I copied the same stripped stock file via Winscp to /tmp, then flashed it using PuTTy mtd -r write /tmp/tplink.bin firmware. Flashing completed but the router didn't respond to pings anymore.

When I turn it now, all LEDS go on twice, then off again except power (first and second LEDs), 5 GHz, both USB plus whatever LAN cable is connected. Router doesnt respond ot pings on 192.168.0.1 or 192.168.1.1 (or any in these subnets). The whole thing takes only few seconds, so it doesn't look like it's booting.

It seems that TFTP is working, I tried TFTP server by holding WPS while turning the router on. It downloads the file form the server (ad I can see that using wireshark,

29	1.431613	192.168.0.86	192.168.0.66	TFTP	87	Read Request, File: ArcherC7v2_tp_recovery.bin, Transfer type: octet, timeout=3

32	1.497162	192.168.0.66	192.168.0.86	TFTP	54	Option Acknowledgement, timeout=3

33	1.497450	192.168.0.86	192.168.0.66	TFTP	60	Acknowledgement, Block: 0

34	1.497727	192.168.0.66	192.168.0.86	TFTP	558	Data Packet, Block: 1

35	1.497971	192.168.0.86	192.168.0.66	TFTP	60	Acknowledgement, Block: 1

.....
.....

127805	290.524375	192.168.0.66	192.168.0.86	TFTP	558	Data Packet, Block: 31744

127806	290.524514	192.168.0.86	192.168.0.66	TFTP	60	Acknowledgement, Block: 31744

127807	290.524571	192.168.0.66	192.168.0.86	TFTP	46	Data Packet, Block: 31745 (last)

127808	290.524711	192.168.0.86	192.168.0.66	TFTP	60	Acknowledgement, Block: 31745

But then after file transfer completes (it takes only few seconds), nothing happens, and the router is still not responding to pings.

I tried this TFTP with striped stock, non-stripped, DD-WRT and OpenWRT, but in all cases it just transfer the file and that's it.

Is there anything more to try without opening the case? I don't wish to do serial to avoid doing more damage, as am not good with hardware.

I think I would want to have DD-WRT until I am experienced enough to work with OpenWRT, but I need to solve this brick issue first, so any firmware is good.

Many Thanks


#2

Unless you overwrote the bootloader, it's really hard to brick the Archer C7 v2 as it generally can be recovered with TFTP. I can't comment on OEM firmware, but I have recovered mine multiple times with OpenWRT firmware over TFTP. Instructions on the wiki page for the Archer C7

Best of luck with DD-WRT, though I'd avoid other OSes that aren't as up-to-date as they might be (Chaos Calmer and November 2017 are no longer considered secure). The community here is pretty good about support, especially if it sounds like you've checked the wiki and previous posts first. We all know both resources can be confusing at times.


#3

Many thanks Jeff for replying.

How can i be sure if boot loader wasn't overwritten? If the router downloads the firmware from TFTP, does this mean the bootloader is working? Because it doesn't seem to do anything after downloading the file (no LEDs flashing or anything.

Thanks
Mo


#4

So, Jeff, according to the wiki page for the Archer C7 link, I understand that if the TFTP downloads the file but then apparently it's not installed, then the image is rejected.

I see the way to confirm that is the serial console. Anyway around opening the case and soldering?

Thanks


#5

I can't "guarantee" it is working, but that it can download a file (I see you confirmed that with wireshark -- good plan) suggests that at least most of it is working.

Here are the "breadcrumbs" of my last TFTP recovery:

[jeff@miniup ~]$ ls -l /private/tftpboot/
total 59820
lrwxr-xr-x  1 root  wheel        61 Feb 21  2018 ArcherC7v2_tp_recovery.bin -> lede-17.01.4-ar71xx-generic-archer-c7-v2-squashfs-factory.bin
-rw-r--r--@ 1 root  wheel  16252928 Oct 18  2017 lede-17.01.4-ar71xx-generic-archer-c5-v1-squashfs-factory.bin
-rw-r--r--@ 1 root  wheel  16252928 Oct 18  2017 lede-17.01.4-ar71xx-generic-archer-c7-v2-squashfs-factory-us.bin
-rw-r--r--@ 1 root  wheel  16252928 Oct 18  2017 lede-17.01.4-ar71xx-generic-archer-c7-v2-squashfs-factory.bin

Yes, opening the case and tacking/soldering/clipping in an appropriate serial adapter (and perhaps pull-up resistor) would help you understand what is happening. If it's actually completing the TFTP transfer, it's likely the file (and potentially bad hardware, but nothing you've said suggests that to me).


#6

Thanks Jeff. I will give it a try. Will need to research the pull-up resistor thing.

Regards
Mo


#7

Hello Jeff,

So I got a DB9 USB to serial https://www.radioshack.com/products/gigaware-usb-to-serial-cable, connected it to a female-female cable, then to the router using paperclips, with port settings and pin-outs as per [Solved] Archer C7 v2 - firmware version 3.15.1 - cannot install! - Help. When I boot the router, I get gibberish in the console (see attached photo). I tried different baud rates, in addition to the mentioned 115200, but still no good. I replaced the driver that Windows 10 automatically installed by a driver I downloaded, but still the same gibberish.Annotation%202018-12-30%20215814

Any Ideas?

Many thanks


#8

That USB2serial stick is unsuitable, it may use up to +/- 25 volts, while your router won't survive more than 3.3 volts (you must make sure to only connect USB2serial adaptors made for 3.3 volts) - it's quite likely that you have already damaged your router beyond repair by using that device.


#9

I wasn't connecting any power to the router; only TX, RX and Ground. So why should the volt matter?

I tried watching the serial while recovering in TFTP mode. Router still downloads the firmware form the computer (I can see that in TFTPD and also I can see it happening in the console (except that I can't read it). Image attached.Annotation%202018-12-30%20234716 .

Thanks for your help.


#10

Because your tx (of the usb2serial stick) uses a signal level up to +/- 25 volts, cooking the router's rx (and more behind it), which can only cope with 3.3 volts max.

https://openwrt.org/docs/techref/hardware/port.serial#voltage_levels

In order to use your usb2serial device, you'd need to add a level shifter, bringing the signal down to 3.3 volts - but given that matching 3.3 volts USB2serial devices sell for 1-5 bucks, it doesn't make sense to deal with level shifters anymore.


#11

Ah OK. Thanks.

I guess the router is gone then!


#12

#13

So I got FTDI FT232RL, connected it and booted the router in recovery mode. I read in Hyper Terminal the code below. No my question is would there be a possibility to flash using TFTP? I am just reluctant to flash using serial (not sure about this pull-up resistor thing; I am not really skilled with these matters).

U-Boot 1.1.4 (Jan 14 2018 - 10:37:14)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(179): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x4, 0x1f)
Tap values = (0x11, 0x11, 0x11, 0x11)
128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

*** Warning *** : PCIe WLAN Module not found !!!
In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0x6
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Scorpion  ----> S17 PHY *
Vlan config...
TEST: FINAL REG VAL after TX Calibration - 0x46000000
TEST: FINAL XMII VAL after RX Calibration - 0x56000000
TEST: FINAL ETH_CFG VAL after RX Calibration - 0x00014001
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7335
eth0: ba:be:fa:ce:08:xx
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:xx
eth1 up
eth0, eth1
Setting 0x18116290 to 0x58b1214f
eth1 link down
eth0 link down
Using eth1 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Filename 'ArcherC7v2_tp_recovery.bin'.
Load address: 0x80060000
Loading: T T ## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK

Starting kernel ...

#14

That you've got "clean" serial output suggests that you probably don't need a pull-up resistor. I typically trigger TFTP with the reset switch, rather than through the serial line. The serial output can help confirm when you can let loose of the button and that things are working properly.

https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500#tftp_recovery_de-bricking provides reasonable directions for performing a TFTP flash.

To activate TFTP Recovery press and hold WPS/Reset Button during powering on until WPS LED turns on.

or until you see the TFTP connection and download starting on the serial line.


#15

Thanks Jeff.

I have finished flashing to OpenWrt a while ago, and was about to give feedback in case it can later help a novice like me.

So I followed the steps of flashing using PuTTy. Typing tpl gave me a hard time, but I guess the connection was dodgy at first (I didn't want to solder). Why don't they populate a header, I don't know.

When typing to flash, every now and then letters showed gibberish. I guess it might be the resistance thing (I measured and got 500 and 10K as reported in some pages). Or it could be the connection, I don't know. Anyway, when that happened, I just hit backspace to delete the bad characters, and continued.

Initially my router would start booting then stops at kernel as mentioned earlier (so no boot loop). Looking at Putty showed IDs of 0 and verification success. I flashed with stock Web Revert (I thought that was the stripped version) and that made the router go into not loop, and ID verification failed. Serial-less TFTP recovery was still not possible. I flashed OpenWrt using serial and it worked.

Router is running latest of OpenWrt now.

I will now see if the WAN is working or not. I may have to revert to stock or otherwise install another custom firmware. I understand the security concerns of outdated firmware, but it's just that OpenWrt seems a bit too advanced for me.

Just a question or two. If I want to revert to stock, where do I type the commands (I don't want to connect via serial again), and where do I get the stripped version (if it's what's required). The famous link doesn't work.

I read some post about going to stock via DD-WRT. Is there anything against that?

Thanks
Mo


closed #16

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.