[solved] TP-Link Archer C5 v2 - can't flash - Broadcom

guidoa · June 22, 2017, 7:04pm

Thanks!
You are correct, mine is US localized, bought on Amazon.
I will download and try your version.

Regarding your advise on rolling back, I already read something about that, but I don't clearly understand it.
If TFTP does not flash de U_Boot partition, but Stock firmware GUI does flash it, will the LEDE binaries work if flashed either way?
On the other hand, from what I could see on the binaries, there's a list of what has to be flashed where. If we directly strip the first bytes, shouldn't this table be corrected?
I would appreciate if you could give me some more details on this.

Thanks in advance.

DjiPi · June 22, 2017, 7:21pm

I own an Archer C7 v2 with stripping required. I never experimented going back to stock.

In fact @guidoa, my advise was more for @ssnake because he's not on the stock firmware anymore, but you are. For you it should be straightforward to flash.

You can read friedzombie's explanation here:
http://www.friedzombie.com/tplink-stripped-firmware/

Unfortunately, he doesn't carry a stripped version for the Archer C5 v2. It's easy to make, but at this point it becomes easier to brick your router if you don't have a TTL serial access for rescue, since TFTP is not working for you. This implies opening your router, doing some soldering and acquiring a TTL-to-USB cable.

So unless you have some experience into that (or someone else on this forum) or willing to do R&D, going back to stock firmware might be a bricking experience.

guidoa · June 22, 2017, 7:54pm

OK, I made some more research.

For C7v2, I compared the LEDE firmware with a stock firmware (containing "boot" on the filename) and with a stripped stock firmware.
Although the files are clearly different, I could find similarities between the LEDE fiel and the stripped stock file. It's also clearly visible that the stock (non-stripped) file has something else on the first 0x20200. After those 0x20200, the three files are similar.

Then, I compared C5 and C7 files:

The first thing I could see, is that the files are completely different between C7 and C5 (both LEDE and stock). C7 files seem to be completely binary, while C5 files have some areas that seem to be clear text, stating the base and size of what can be found on the files, the base and size of the partitions on the router, etc.
C5 firmwares (both stock and LEDE) seem to have not only what has to be flashed, but also the information on where each part has to be flashed.

On the other hand, I compared LEDE and stock images for the C5 (similar to the first comparisson, but in this case for C5):

I could find that both files have EXACTLY the same format.

Starting at 0x1014, there's some information of what information is where (on the file):
For example, for LEDE:
fwup-ptn partition-table base 0x00800 size 0x00800
fwup-ptn soft-version base 0x01000 size 0x00015
fwup-ptn support-list base 0x01015 size 0x00056
fwup-ptn os-image base 0x0106b size 0x15e000
fwup-ptn file-system base 0x15f06b size 0x240004

If you add 0x1014 to those bases, you could find the partition table at 0x1814 of the image file.
The Support list is clearly visible on 0x2029.

If you look for same things on the Stock firmware, the format is exactly the same.
It is true that that the stock firmware contains more data to be flashed (for example the U-Boot partition) but it is also true that it clearly states what's where on the file.

For example, for a stock image, starting on 0x1014:

fwup-ptn partition-table base 0x00800 size 0x00800
fwup-ptn fs-uboot base 0x01000 size 0x3722a
fwup-ptn os-image base 0x3822a size 0x1a6001
fwup-ptn file-system base 0x1de22b size 0x7ee001
fwup-ptn product-info base 0x9cc22c size 0x00095
fwup-ptn soft-version base 0x9cc2c1 size 0x00015
fwup-ptn support-list base 0x9cc2d6 size 0x00095

So, my conclussion is that stripping the first X bytes from the file would lead the image to be completly a mess, as those addresses would probably be incorrect.
Also, if we want to take out the U-Boot data, it doesn't seem to be in the first X bytes, but actually after the Partition Table data.
If we just strip some bytes se we take out the U-Boot data, we would also be stripping the Partition Table, and more important, the "fwup-ptn" information, that seems to state what has to be flashed and where.

What I'm not sure is:

The LEDE firmware for C5 has the same format as the Stock firmware, so the Stock firmware "knows" how to handle it and flashes it correclty.
BUT
Does the LEDE software, "know" how to handle this image format that I described early? Or it will just flash the data of the .bin image to the flash memory of the router?
If that's the case, I think that flashing a Stock firmware through LEDE (or even a new LEDE version) through LEDE, could brick it.

On the other hand, and supposing that the TFTP method continues to work after flashing LEDE, I guess any version (unstripped stock or LEDE) could be flashed again using this method, as it clearly "knows" how to handle this image format.

@ssnake, could you please confirm if, after flashing LEDE, the TFTP continued to fetch files when powering up with WPS button pressed.

I still have to check weather my US Router has this TFTP mode.

Sorry for the long post!

guidoa · June 22, 2017, 8:12pm

It seems this format is the "TP-LINK SafeLoader".

According to tplink-safeloader.c:

The firmware image must contain at least the partition-table and support-list partitions
to be accepted. There aren't any alignment constraints for the image partitions.

The partition-table partition contains the actual flash layout; partitions
from the image partition table are mapped to the corresponding flash partitions during
the firmware upgrade. The support-list partition contains a list of devices supported by
the firmware image.

The base offsets in the firmware partition table are relative to the end
of the vendor information block, so the partition-table partition will
actually start at offset 0x1814 of the image.

I think partition-table must be the first partition in the firmware image.

So, my doubt is still the same: Will the installed and working LEDE know how to flash a "SafeLoader" file?

Regards,

DjiPi · June 22, 2017, 9:41pm

@guidoa Did you succeeded in using the TFTP recovery to flash a standard stock image for your model, just for the sake of knowing if it could be a recovery path in case of bricking?

You might be right in your assumptions since that on friedzombie, I couldn't find any stripped firmwares for the models defined within the tplink-safeloader.c source code.

ssnake · June 23, 2017, 12:31am

@DjiPi I can confirm that your build can be loaded directly from the web interface of stock firmware.

Also I can use TFTP to roll back to a stock firmware without stripping it.

@guidoa In my case, TFTP continues to work after flashing LEDE. It is still powering up with WPS button pressed. Hope you can deal with yours.

Klingon · June 23, 2017, 1:45pm

In the EU stock firmware we can find:

{product_name:ArcherC5,product_ver:2.0.0,special_id:00000000}

fwup-ptn fs-uboot base 0x01000 size 0x3723d
fwup-ptn os-image base 0x3823d size 0x1a6001
fwup-ptn file-system base 0x1de23e size 0x7e8001
fwup-ptn partition-table base 0x00800 size 0x00800
fwup-ptn soft-version base 0x9c623f size 0x00015
fwup-ptn support-list base 0x9c6254 size 0x00056

Each region it seems to use different special codes.
I suppose it's not new at all, but, is good to know.

guidoa · June 23, 2017, 2:06pm

@DjiPi, @ssnake,

I have some news.

There are two available firmwares on TP-Link web for the US version:

3.17.1 Build 20160201 Rel. 61368
3.17.1 Build 20150908 Rel. 43260

With the 43260 flashed, I can see TFTP request evey time I turn the Router with thew WPS button pressed. It takes about 7 seconds since I power it up to see the TFTP request. I tried several times and it worked 100% of the times.
On the other hand, with the 61368 flashed, I could not see a TFTP request neither an ARP request for any IP like 192.168.0.66 or 86.
I tried several times, with the same result.
I thought maybe the problem was that Windows usually takes some seconds to detect the LAN as UP, so I connected a Switch between the Router and my Laptop. Now, Windows has the Ethernet port UP all the time. I made the same test, with the WPS button pressed, with the WiFi On/Off button pressed and even with both buttons pressed, with no success.

So, my conclusion is that TP-Link took out the TFTP option on this release.
Anyway, this seems strange, as the behavior of the WPS Led when powering up with the WPS button is the same with both firmwares. It blinks for a couple of seconds and then stays on.

Although the LEDE build from @DjiPi would probably flash from WEB GUI of both stock firmwares, I will try it with 43260 flashed, so I can go back to stock if needed using TFTP.

My recommendation: DO NOT FLASH LEDE TROUGH WEB IF TFTP IS NOT WORKING WITH INSTALLED STOCK FIRMWARE.

Anyway, next step: Flash LEDE (@DjiPi build), on TFTP from TP-Link 43260.
I would have a non-up-to-date U-Boot partition, but I would have the possibility to go back to Stock.

I'll let you know the result as soon as possible.

Regards,

DjiPi · June 23, 2017, 2:46pm

I assume that you also fixed your static IP to 192.168.0.66 and did not use DHCP client ?

Thank you for the info; that special_id is already built into LEDE's safeloader module so you should be able to make it work straight from the actual release branch.

guidoa · June 23, 2017, 2:50pm

That's correct!

guidoa · June 23, 2017, 2:56pm

Good News!
LEDE flashed and working!
I now have to check if everything works well. At the moment, I only see 2.4 GHz WiFi.
I'm not sure if there's support for 5 GHz on this router.

guidoa · June 23, 2017, 3:01pm

By the way, is it expected behaivour to have different MACs?

The MAC on LAN and WAN with LEDE flashed are totally different from those with Stock Firmware.

DjiPi · June 23, 2017, 3:18pm

This is expected with a Broadcom device (see top warning of ToH and this thread):

guidoa · June 23, 2017, 3:24pm

Thanks!

What about the MAC address? Is it expected to have different MACs?

guidoa · June 23, 2017, 3:27pm

By the way, flashing stock firmware again using TFTP works.

So I confirm it is possible on Archer C5 v2 US version to flash LEDE through WEB GUI of Stock image with your build and it's possible to go back from LEDE to Stock using TFTP, AS LONG AS the last Stock image used had TFTP support.

My recommendation again, just in case:

DO NOT FLASH LEDE TROUGH WEB IF TFTP IS NOT WORKING WITH INSTALLED STOCK FIRMWARE.

Regards,

DjiPi · June 23, 2017, 4:08pm

Usually the MAC are taken from the ART partition, but I can't answer that particular question because I don't know. As a workaround there is always the possibility to specify the MAC address you want in the configuration file.

DjiPi · July 3, 2017, 4:05am

Can you find the original MAC somewhere in the bootlog or in the ART partition (0x000000ff0000-0x000001000000 if it's the same as C7)?

risk · July 3, 2017, 5:46am

have you tried brcmfmac on it?

Klingon · July 3, 2017, 10:43am

Yesterday I flashed my C5 v2 (EU Version) directly from the stock firmware to LEDE (17.01.2) and I had no problems.
After that, I updated again to the lastest version found here http://ftp.halifax.rwth-aachen.de/lede/snapshots/targets/bcm53xx/generic/ and I realized the kernel was version 4.9 and not 4.4 like 17.01.02.

The router is working fine, except for the Wifi (also know), maybe one day will work fine too.

Thanks again to all the people is making LEDE posible and going on.

guidoa · July 3, 2017, 12:50pm

Right now I don't have access to my Router. Will check it as soon as I can.