[solved] TP-Link Archer C5 v2 - can't flash - Broadcom

TL;DR Table of hardware about Archer C5 v2

TFTP recovery procedure:

Reported stock firmwares with working TFTP:

  • Japan: 3.17.1 Build 20160524 Rel.69003
  • US: 3.17.1 Build 20150908 Rel. 43260

As per commit https://git.lede-project.org/?p=source.git;a=commit;h=01280bc8dc1d9ca089fad7b231d718e166698f4a, support into the master branch as been added.

The firmware to use that can be flashed directly from the stock firmware interface is in the ToH (Table of Hardware):

  • There is no support for the 5GHz radio, only 2.4GHz and not very well supported

  • Snapshot builds do not come with Luci. You need to install it using CLI:

opkg update
opkg install luci-ssl

  • WAN MAC Address has to be set manually because it's not automatically detected:

Hi @DjiPi!
Thanks for your reply.
I tried to find the TFTP mode with the WPS button pressed while powering the router, as on other TP-LINKs.
At the same time, I had a WireShark monitoring on LAN1 (also tried LAN4).
I couldn't find any packet from the Router until I release the button, in which case I see the normal packets when the Router starts.
In other words, I couldn't see any ARP request from any IP or any TFTP packet at all.

Any hint on how to access this mode?

Thanks in advance.

I have an Archer C5 v2 (in stock firmware).
This weekend I'll try to install LEDE.

I'll tell you about.

@guidoa Have you tried this?

http://www.tp-link.com/us/faq-1482.html

Hi @Klingon, thanks for the link.

I haven't seen it, but I will give it a try as soon as possible.

I'll let you know the results!

Thanks again.

I have tried the LEDE firmware with my Archer C5 v2 (Japan model, but I think the hardware is the same as elsewhere).

I have tested with the following stock firmwares (for Japan model):
3.17.1 Build 20170313 Rel.49237
3.17.1 Build 20160824 Rel.52902
3.17.1 Build 20160524 Rel.69003

With the Web console, I got the same -25533 error code.

The TFTP method itself worked, but the firmware seems to be rejected.

My steps:

  1. Connect PC to one of the LAN ports.
  2. Set PC's IP to 192.168.0.66/24.
  3. Set up a tftp server, rename the LEDE firmware to "ArcherC5v2_tp_recovery.bin" and put it on the root of the server.
  4. Turn on the router with WPS/Reset button hold, until the WPS LED stop blinking and keep on.
  5. The log shows that there is a read request for file "ArcherC5v2_tp_recovery.bin" from 192.168.0.86.
    Though the LEDE firmware was successfully transferred to the router, after rebooting it was still in previous stock firmware.

I have also tried with stock firmwares. They were accepted through this method, and got installed successfully. I can use the TFTP method to both upgrade and downgrade.
After the LEDE firmware transferred, the router reboots itself immediately. While after the stock firmwares transferred, the router reboots itself after a few seconds (flashing?).
So the TFTP method itself should work. Perhaps we need to make a firmware that can be accepted by the router (then we may not encounter the -25533 error with the web console though).

I haven't tried the FAQ-1482 method mentioned by @Klingon. It seems that method requires the router to get bricked first, which seems risky for me.

Thanks @ssnake. I could make my unit go into TFTP, but I'll give it a new try in the following days.
I agree that the hardware for the Japan/EU/US model is probably the same, but the firmware seems to be different.
I tried loading a TP-LINK from a different region to my US router and I received the same error.

Regards,

Thanks @guidoa.
"A same error loading a firmware from a different region" is a great hint. It predicts that the router may have checked something (may be the header as with the US model of Archer C7 v2) of the coming firmwares and reject those are not fit for it. We may need to include a proper region code in the header to make the firmware accepted by the router.

@ssnake, thats exactly what I was thinking. Probably I wasn't able to make myself clear about it.
Unfortunately, I don't have the neccesary knowledge to help with this.
What would the way to check what's the necessary header that should be included?

Thanks in advance.

Thanks @guidoa for your hint. I succeeded in flashing my Archer C5.

What I have done:

  1. Open the LEDE firmware with any text editor.
  2. Change the "special_id" ("00000000") to the one as in the stock firmware (in my case, "4A500000" from JP stock firmware).
  3. Flash it with TFTP method. (Web console still rejects it with error code 18005.)

I haven't look into it if everything works properly. But I can at least log into the LuCI.

I hope this may help you.

Hi @ssnake.
That's really good news.

I will take a look at the stock firmware of my unit to check the "special_id" and modify the LEDE firmware to that value.

Could you please clarify a little bit more on how you managed to get to the TFTP mode?

I understand you turned on the unit with the WPS buton pressed, but I'm not sure if you release it when the WPS led stays on.

Unfortunately I'm at my office now and my C5 is at home. I will try as soon as possible.

Thanks in advance.

Yes, I released the WPS button after the LED stays on (perhaps it doesn't really matter, since I saw the file transfer started before I released the button).

It is also possible that the US model does not enter the TFTP recovery mode at all (I have experienced it with my Buffalo router, whose US model enters TFTP but JP model doesn't).

I hope this is not the case, but always a possibility...

@ssnake If you are interested in doing some tests and can supply product_ver also, I will try to patch the source code.

Same thing for you @guidoa, if you supply me both product_ver and special_id, I will try to patch it and test it with your help. After the patch it should load right from the stock firmware Web interface.

I'd like to help. Could you explain what tests would you like me to perform?

As for the product_ver, it is the same "2.0.0" as in the LEDE source code.

I copied the following from JP stock firmware:

SupportList:
{product_name:ArcherC5,product_ver:2.0.0,special_id:4A500000}
{product_name:ArcherC5,product_ver:2.0.0,special_id:00000000}

You may also interested in:

vendor_name:TP-LINK
vendor_url:www.tp-link.com
product_name:ArcherC5
language:en
product_ver:2.0.0
product_id:00050002
special_id:4A500000

Mi two cents:

Info from the 2 available firmwares for the US version:

Stock Firmware: archer_c5v2_us-up-ver3-17-1-P1[20150908-rel43260]

vendor_name:TP-LINK
vendor_url:www.tp-link.com
product_name:ArcherC5
language:us
product_ver:2.0.0
product_id:00050002
special_id:55530000
SupportList:
{product_name:ArcherC5,product_ver:2.0.0,special_id:00000000}
{product_name:ArcherC5,product_ver:2.0.0,special_id:55530000}

Stock Firmware: archer_c5v2_us-up-ver3-17-1-P1[20160201-rel61368]

vendor_name:TP-LINK
vendor_url:www.tp-link.com
product_name:ArcherC5
language:us
product_ver:2.0.0
product_id:00050002
special_id:55530000
SupportList:
{product_name:ArcherC5,product_ver:2.0.0,special_id:55530000}
{product_name:ArcherC5,product_ver:2.0.0,special_id:00000000}

I'm going to make the patch and build the firmware, so if you could just load the bin file using the stock firmware interface, that would be it. I'll let you know when the firmware is available, it will take a while to build.

@guidoa thanks, will incorporate those as well.

@ssnake unless I'm mistaken, your router is JP localized and @guidoa your router is US localized.

A bit of advise: Before you flash this build, ensure that TFTP recovery is working while on stock firmware. It's possible that it's not the latest firmware that works, so flash the latest stock firmware and go backward until the TFTP recovery procedure works. No stripping of the firmware file is required to go back to stock using TFTP recovery.

Hi @DjiPi.

Thanks!
You are correct, mine is US localized, bought on Amazon.
I will download and try your version.

Regarding your advise on rolling back, I already read something about that, but I don't clearly understand it.
If TFTP does not flash de U_Boot partition, but Stock firmware GUI does flash it, will the LEDE binaries work if flashed either way?
On the other hand, from what I could see on the binaries, there's a list of what has to be flashed where. If we directly strip the first bytes, shouldn't this table be corrected?
I would appreciate if you could give me some more details on this.

Thanks in advance.

I own an Archer C7 v2 with stripping required. I never experimented going back to stock.

In fact @guidoa, my advise was more for @ssnake because he's not on the stock firmware anymore, but you are. For you it should be straightforward to flash.

You can read friedzombie's explanation here:
http://www.friedzombie.com/tplink-stripped-firmware/

Unfortunately, he doesn't carry a stripped version for the Archer C5 v2. It's easy to make, but at this point it becomes easier to brick your router if you don't have a TTL serial access for rescue, since TFTP is not working for you. This implies opening your router, doing some soldering and acquiring a TTL-to-USB cable.

So unless you have some experience into that (or someone else on this forum) or willing to do R&D, going back to stock firmware might be a bricking experience.