Those capacitors will be fine, just the label is a bit singed. When they are overheated they explode.
Working only from the bottom, preheat the board with a hot air gun then reflow the solder with your soldering iron.
Yup, pretty sure they're not completely on the pads 
unfortunately.
I think it might be the solder. The iron's at a constant 330C but it never actually flows. I tried 20 seconds but couldn't hold it there any longer because I thought I might wreck the board. Maybe higher temps? I have new, fresh solder coming in the mail as well. What temperature level is acceptable for 63/37?
I added some solder paste (flux) to the iron but forgot to add it to the pins before putting it on the board. Might have to paint some on with a brush.
If you're not already, you should be using "rosin core" electronic solder which has the proper kind of flux in the solder itself. "Flux", if not for electronics purposes, is typically nasty, acid stuff that will ruin a board.
My "professional" (micro-tip, temperature controlled) iron runs at 750 °F (about 400 °C) and I work very fast with it (been soldering about as long as I've been riding a bicycle). Others recommend somewhere in the 330-370 °C range.
3 Likes
330C is warm enough and very safe. I normally worked (20 years ago) with 370 with this stuff and 400 with smaller components but it is all technique and matter of preference. Once you learn it is like riding a bicycle 
A simple way to know it is warm enough is melt the soldering wire (has the acid already) touching the contact or pad itself rather than the pen tip.
E.g heat the contact with the pen till the soldering wire melts when you touch it and keep holding the pen till it looks nice. This video is a nice example.
No need to add more acid (flux) unless you are reballing or cleaning or dealing with rough and dirty stuff.
Fancy soldering station is nice but 10$ soldering pen will do just as fine for this.
Edit:
You might want to have a fine soldering iron to lift the memory vcc leg from the board and put it back on when you are done. To get the whole IC off with a pen requires some more skill so I would recommend to use a heat-gun instead. I can try to shoot a video guide...
1 Like
According to the wiki the flash IC is w25q64fvsig. According to its data-sheet (page 6), the vcc is leg 8. It is the corner and should be fairly easy to lift. Alternatively, you can use this one for upgrading it to 16mbyte if you plan to do the work of taking it off anyway. It will require a small image tweak to benefit from added memory.
Yup, the new solder has a rosin core.
I'll try with the SOP8 clip first. Maybe if I'm lucky the board won't power up. Still waiting for the delivery though (shipping here is quite slow, I wish I ordered the gear back in Korea). At least the tools are much cheaper here in China, even if I don't understand the gibberish Chinese/English mess on the ordering page 
I'm kind of curious though. If I hypothetically replaced the chip with 16M, what would you have to change in order to get the router to recognize the extra space? Hex edit the firmware?
Rebuild the kernel, as that is what contains the âpartition mapâ or âformattingâ of the chip. Depending on device, you may need to move raw data around as well (important stuff at the end of the 8 MB chip would be in the middle of where youâd want to define for your new firmware.
1 Like
Well, I got the serial cable today. Tried connecting it to the router. As far as I know, the solder job worked (I re-did it yesterday) because there was a flash on the PuTTY console every time I powered on the router. Sadly, the characters outputted were gibberish and there was maybe one or two characters at the most. Time to dump the chip and see how it goes.
BTW can anybody recommend a CH341 programmer software for Windows that is preferably virus-free and open-source?
OK I tried reading the flash with the SOP8 clip. Unsurprisingly the CPU powered on, the LEDs came in and the flashrom software on Linux failed to read the chip. (It did detect the correct chip and did read the first 301 bytes or so)
I guess it's time to desolder this thing. 
@vov4ik_il, I desoldered the 8th pin and then reconnected the clip. I don't think my desoldering worked because the board still powered up and started to interrupt reads. At least this time around I was able to complete some flash reads and flashrom didn't complain a lot.
However, I ran md5sum on 4 dumps and all 4 hashes are different. So.... no good I guess. I'm not sure if I can remove the entire chip from the board without killing it but it's worth a try lol.
One thing to note - I looked at the hex printout of the first dump and it started with "ver 2.0" or something like that so I'm hopeful that maybe some part of the flash survived my clumsy bricking attempt.
Spot on.
First, lets make sure you did apply the fix to your adapter so it does not spike 5v. Lift the leg of the IC on the reader, wire it to the capacitor and voltage controller. That way the voltage will be 3.3v and it will read and write with proper levels.
Oops, I didn't apply that fix. I'll try wiring it tomorrow night.
In the meantime I'm not sure what to flash once I get it going. I figured I would write the U-boot environment quick once I do manage to interface with the chip correctly, but dunno how to extract that.
EDIT: I binwalked the original firmware file:
ubuntu@ubuntu:~/Downloads$ binwalk Archer_C2v1_0.9.1_5.0_up_boot\(170221\)_2017-02-21_17.14.36.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
95648 0x175A0 U-Boot version string, "U-Boot 1.1.3 (Aug 31 2015 - 16:32:16)"
132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3523636 bytes
1442304 0x160200 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5317117 bytes, 649 inodes, blocksize: 131072 bytes, created: 2017-02-21 07:24:58
Shaved off 1024 bytes to align the kernel with the kernel partition:
ubuntu@ubuntu:~/Downloads$ dd if=Archer_C2v1_0.9.1_5.0_up_boot\(170221\)_2017-02-21_17.14.36.bin of=new_flash.bin bs=1 skip=1024
8125952+0 records in
8125952+0 records out
8125952 bytes (8.1 MB, 7.7 MiB) copied, 11.2075 s, 725 kB/s
ubuntu@ubuntu:~/Downloads$ binwalk new_flash.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
94624 0x171A0 U-Boot version string, "U-Boot 1.1.3 (Aug 31 2015 - 16:32:16)"
131072 0x20000 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3523636 bytes
1441280 0x15FE00 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5317117 bytes, 649 inodes, blocksize: 131072 bytes, created: 2017-02-21 07:24:58
But trying to flash that (I figured I would quickly get U-boot working at least) resulted in:
ubuntu@ubuntu:~/Downloads$ sudo flashrom --programmer ch341a_spi -w new_flash.bin
flashrom v0.9.9-r1954 on Linux 4.15.0-29-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Couldn't open device 1a86:5512.
Error: Programmer initialization failed.
ubuntu@ubuntu:~/Downloads$ sudo flashrom --programmer ch341a_spi -w new_flash.bin
flashrom v0.9.9-r1954 on Linux 4.15.0-29-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) on ch341a_spi.
Error: Image size (8125952 B) doesn't match the flash chip's size (8388608 B)!
Read the whole IC content.
In the included Hex editor, open the OEM firmware package and copy and paste the ranges you need into the package you obtained from the IC. Then write it to the IC. Technically, you only need u-boot to be able to recover but you can do all at once.
Ah, OK, so I was being stupid. I thought I could get away with partial flashes but now I know flashrom doesn't work that way.
I really need to work on getting this VCC leg off of the board, but I'm worried that it'll snap off of the package. (How flexible is this thing??? lol) Tweezers aren't working that well lol.
1 mm if you pull from the end is enough, just make sure you do not get the pad off the board and not brake the leg off the IC...
Got to go now
You can, but why would you work hard?
Because the flash connection is unreliable due to the CPU interference. I figured because flashrom seems to be OK for the first few sections of the flash, I could flash the U-boot and carry out the rest of the recovery using TFTP.
BTW, I ran the zip through VirusTotal and got this result: https://www.virustotal.com/gui/file/ce950a18804e6549d1497bea1aa90a8eb2cff077753d65d1cc89c56ceb83e2f2/detection
Could be false positives, but I'll just stay cautious and stick with flashrom 
Well, free hex editor I guess, I use it anyway and the PC is still where I left it.
OK. This is going to be a disappointing update.
I read the chip a couple more times with the VCC leg fully off of the board. No consistent results. The seven read files I dumped ALL had different md5 hashes.
I looked at the chip and the reader. The SOP8 clip was sliding off of the chip because of the VCC leg sticking straight out. I tried straightening out the VCC leg so that it wouldn't interfere with the reading process, but I accidentally snapped the leg AND the pad off of the board.
sigh
I'm guessing if I solder a wire from the snapped bit to a VCC line I could theoretically get it working, but I'm feeling so dejected from all the failures that I'm not going to attempt it tonight. Well, it was a good learning experience. Special thanks to @vov4ik_il, @jeff, @mk24, @orangepizza, @slh, and @mbo2o for helping me along the way. I'm sure I'll get this router working one way or another, just not today.