SPI flash upgrade from 8MB to 16MB on Archer C6

yikestone · May 7, 2023, 4:26am

Hey guys,

I am upgrading my TP Link Archer C6 v2 (EU) flash from 8MB to 16MB. I have read other discussions on this and I have a few questions regarding what needs to be flashed on 16MB chip.
These are the steps I am going to follow.

Dump the 8MB flash to a file.
Concatenate the file with itself to create a new 16MB(8+8) file, so that ART partition is at correct place. And then write it to the new 16MB flash.
Solder the new flash and enjoy.

Are these steps enough?

I also want to move to US version(so that my router is supported for longer time), what partitions will I need to preserve and which ones to overwrite with data from US version? And how to get those US version partitions?

bigsmile · May 7, 2023, 5:33am

First of all I would install a socket if you are experimenting. You can then swap the flash easily when things fail.

I don't know if there is a PXE-boot tutorial for your device, but I would look into that if experimenting.

Obviously you need to resize some partitions to claim the new space. So if someone has done this before requesting a dump or partitioning layout would save you a lot of time.

That's the extend of my knowledge, I hope it works out.

Good luck

yikestone · May 7, 2023, 7:12am

Hey,

Thanks for the wonderful suggestion of mounting a socket. I searched for them, unfortunately they are not available where I live.
Do you know how I can extract the partition data from the sysupgrade.bin for a particular board?

bigsmile · May 7, 2023, 8:28am

FYI: From this point on, take anything I say as a pointer, not as fact.

You need these afaict from the 8pin chip I see on the left side in the middle of the board:

So from the factory image, running this:

strings openwrt-22.03.5-ath79-generic-tplink_archer-c6-v2-squashfs-factory.bin | grep -i 0x[0-9A-F][0-9A-F]

Results in this:

fwup-ptn partition-table base 0x00800 size 0x00800	
fwup-ptn soft-version base 0x01000 size 0x00019	
fwup-ptn support-list base 0x01019 size 0x000d7	
fwup-ptn os-image base 0x010f0 size 0x227022	
fwup-ptn file-system base 0x228112 size 0x420004	
fwup-ptn extra-para base 0x648116 size 0x0000b	
partition fs-uboot base 0x00000 size 0x20000
partition default-mac base 0x20000 size 0x00200
partition pin base 0x20200 size 0x00100
partition product-info base 0x20300 size 0x00200
partition device-id base 0x20500 size 0x0fb00
partition os-image base 0x30000 size 0x227022
partition file-system base 0x260000 size 0x549400
partition soft-version base 0x7d9400 size 0x00100
partition extra-para base 0x7d9500 size 0x00100
partition support-list base 0x7d9600 size 0x00200
partition profile base 0x7d9800 size 0x03000
partition default-config base 0x7dc800 size 0x03000
partition partition-table base 0x7df800 size 0x00800
partition user-config base 0x7e0000 size 0x0c000
partition certificate base 0x7ec000 size 0x04000
partition radio base 0x7f0000 size 0x10000

I think a good approach would be to assign the other 8mb as extroot since you don't have any USB port afaict. See this

This is a far as I can help you. I'm in way over my head as it is.

EDIT: updated partition extraction to grep hexadecimals instead of decimals

yikestone · May 7, 2023, 8:51am

Thanks for the quick response.
Yes the IC you pointed is the SPI flash. Its SMD not DIP. The link you shared is for DIP. If I order it from Aliexpress it will take 15 days. I will just go ahead and do some temporary jugaad with wires for testing and when it is fully working then solder it to the board.

Thanks a lot for the partitions list.

mk24 · May 7, 2023, 2:19pm

The US bootloader can be extracted from a US factory firmware file. But you can probably boot OK with the EU bootloader. In many TP-Link the factory MAC address is in the bootloader partition so you would need to patch it back in if you replace the bootloader.

The original idea to just copy the old chip (running OpenWrt EU build) into the first 8 MB of the new chip and push the ART out to the end of the new chip should work. After booting, force upgrade to the OpenWrt US build. The ART can be installed at run-time using kmod-mtd-rw to temporarily allow writing to a protected partition.

yikestone · May 8, 2023, 6:56am

Is MAC address part of dts? If yes, then is dts stored on a separate partition or built as part of uboot. I hope replacing US version dts from my EU version dts should do the trick? As well as modify the partitions defined in dts?

bigsmile · May 8, 2023, 8:30am

Very unlikely, then it would be applied to every device where the dtb is loaded. Afaik its u-boot that does that, which can load a config from an address, partition or file. Given that its a router, probably an address.

yikestone · May 8, 2023, 3:44pm

Hey @mk24 ,

One last query.
This is my partition list with correct order and size for 8MB:-

131072 u-boot
65536 info
7995392 firmware
131072 tplink
65536 art

For 16MB if I fill these partitions as below:-
131072 u-boot
65536 info
16384000 firmware (append 0s after 7995392)
131072 tplink
65536 art

And force flash US version openwrt on boot.

Will this be enough?
I am hopping I wont have to touch partition tables or offsets?
I also hope I dont have to change any mac addresses or use kmod-mtd-rw to write 'art', as everything will be in correct place?

mk24 · May 8, 2023, 4:34pm

The partition table is in the OpenWrt firmware. When you boot EU firmware from a 16 MB chip, it uses the EU table thus only 8 MB of the chip is usable. When you flash US firmware it will use the US partition table.

The top part of the chip doesn't need to contain anything with this scheme-- as I said you can write the ART in at runtime from the US firmware. Of course you have to have a copy of ART saved.

yikestone · May 11, 2023, 8:50am

I got the SOP8 test clip. But I am not able to access the flash chip. I tested my setup with a flash chip that was not soldered to anything and it worked. I checked with 2 different routers, for both I am not able to access it. Will it be accessible only when removed from board?

I am using a RPi 3B+.

bigsmile · May 11, 2023, 9:28am

Yes, that's usually the case when its in circuit. However you could try to reduce the length of the wires. The shorter the connection the better, that's why I suggested the socket

yikestone · May 11, 2023, 10:01am

Hmm. It will be difficult for me to get a socket. Lets see if I am able to find one.

Is it a signaling issue? Or voltage drop issue?

bigsmile · May 11, 2023, 1:55pm

Could be both, luckily its only 8 pins, not 48

Whats the flash type? I cant make out the number from the picture on the device page (even though its 4K x 3K). Its something like 25Q64....

Maybe you could get a way with it by lifting a pin or two.

mk24 · May 11, 2023, 2:40pm

As far as reading the old chip, while running OpenWrt you can extract each partition with
cat /dev/mtdX > /tmp/mtdX.bin
Then cat those files together and it is a complete image of the original flash chip. Having done that, flash it into a new chip then swap the chips. A heat gun makes very short work of removing and replacing the flash chip.

bigsmile · May 11, 2023, 6:31pm

I don't think that adds up. I tried this on an Archer C7 and the result is a 43Mb file which could never fit on a 16Mb flash.

major minor  #blocks  name

  31        0        128 mtdblock0
  31        1      16192 mtdblock1
  31        2       2204 mtdblock2
  31        3      13987 mtdblock3
  31        4       9920 mtdblock4
  31        5         64 mtdblock5

mk24 · May 11, 2023, 6:47pm

Some of the partitions, especially "firmware" may be aliases that overlap and combine other partitions.

nvladimirov · May 11, 2023, 9:28pm

The flash layout could be also on several layers. Some device pages have this well explained. If you write it via the router - it will fit. Sometimes when I have the chip unsoldered, I am using the router itself to write the new chip. If the pads are well cleaned - you won't really need a socket. The mtd utility can verify if written correctly or not. The first layer should already contain all the data.

TP-Link Archer C6 V2 (EU/RU/JP) Flash Layout

Layer1 mtd0 ***u-boot*** 128 KiB mtd1 ***info*** 64 KiB mtd2 ***firmware*** 7808 KiB mtd6 ***tplink*** 128 KiB mtd7 ***art*** 64 KiB
Layer2 mtd3 ***kernel*** 2191 KiB (*) mtd4 ***rootfs*** 5616 KiB (*)
Layer3					mtd5 rootfs_data 1408 KiB

yikestone · May 12, 2023, 1:24am

@bigsmile my flash model is slightly different "cfeon qh64a-104hip".

I dumped the contents of current 8MB flash using "dd if=/dev/mtdXro of=/tmp/mtdX" and concatenated the correct ones to get an 8MB file.

As mentioned by @nvladimirov correct ones are:-
mtd0 131072 u-boot
mtd1 65536 info
mtd2 7995392 firmware
mtd6 131072 tplink
mtd7 65536 art

Sum of their sizes is exactly 8MB.

But it would have been good to program flash memory when it was mounted on board. I will try and lift the VCC pin.

bigsmile · May 12, 2023, 6:11am

Alright, so does this create the same file/hash?

ssh root@router "for i in 0 1 2 6 7;do cat /dev/mtd${i}ro;done" > archer_c6_v2.img

Because that looked quite tedious to repeat for someone else following this thread later on