Support for TP-LINK RE305 V3

Hello! adschm on GitHub needs the MAC address assignment for our model to wrap things up. Unfortunately I bricked my device while trying to revert to the stock firmware and won't be able to attach serial soon due to time constrains.
Can someone else provide him the table?
Their original message:

I rearranged some stuff and put the result here:;a=shortlog;h=refs/heads/re305

The only thing missing IMO is the correct MAC address assignment for the v3. Can somebody please post a table like described here, so we can choose the correct addresses and get this done:

sorry for 'hijacking' a bit : anyone else here has received a v4 ? Got it fresh from Amazon! Shall I try a V3 enabled firmware and see how it goes?

Major revisions often mean hardware changes in TP-Link's numbering scheme. I would not try to flash v3 firmware without doing due diligence first.

1 Like

@Borromini yes sure, yet as "The only and important difference between v1 & v3 is in flash memory
layout, so pls don't interchange these 2 builds!" I was hoping something similar would happen.

How can I check the hardware is the same? Visual inspection? serial connection?

Both would be good, yes, check boot log for pointers on flash and RAM, flash layout, but a physical look at the innards never hurts (if you can open it without voiding the warranty).

Even flash memory layout changes can brick your device, if you were to overwrite e.g. radio callibration data etc.

I wouldn't recommend. The RE305 v3 stock firmware image (.bin) size is about ~7MB, while the RE305 v4 stock firmware image size is about ~2.5MB (less than a half).

This might be an indication that they are different hardwares.

I just ordered one RE305 to replace a RE200 (with the expectation I could run OpenWRT on it since OpenWRT on RE200 is broken).

It will arrive next week, hopefully it will be a v3. If it is a v4 I will be very disappointed since there is no OpenWRT support to v4 yet. If it is a v4 and it is easy to take it apart, I will try to find out which hardware v4 has.

1 Like

I just received my RE305 v3 today. Below are the MAC addresses from the stock firmware (I've redacted one portion for privacy reasons but I believe it is sufficient for understanding the MAC addresses order). I will post this information at github as well:

5.0 Ghz: 00-31-92-XX-7F-D0
2.4 Ghz: 00-31-92-XX-7F-D1
Ethernet: 00-31-92-XX-7F-D2


Good news everyone. Thanks to @adrianschmutzler merging of my commit into master, we can now use pre-built snapshots for this device:
So feel free to try it (but again at your own risk..)

1 Like

Hey cheers for getting this through. I'm having an issue with mesh networking where my speeds are halved even though router (archer C7) and extender are right beside me.
Is there any way to restore original tp-link firmware. I've tried TFPT on and with no luck but TFTP seems to work with the Archer C7. Wireshark is also not picking up anything :frowning:
I'm hoping to revisit this over the xmas hols but for the moment I just need the Onemesh back up and running until then. Any help would be appreciated

A possible tentative solution is to prepare the stock firmware file to be flashed via OpenWRT. This should be done via tplink-safeloader utility which needs to be built form OpenWRT source code. You can see more details about how to do this in the RE200 revert to stock firmware at

However if you are not familiar with building OpenWRT this might not be simple. Even doing this notice that there might be issues with versioning in the stock firmware that may prevent it being installed.

Anyway, if you are willing to try this revert ant accept the risk for soft bricking your device (requiring an UART physical connection to restore it), I have this "stock revert" firmware image I prepared sometime ago for the RE305v3. I've never tested it, but if you want to take the risk let me know and I can share it with you.

1 Like

Cheers for the advice, I'll give building it a go and might reach out if I fail.

Can you please clarify what these images are? I flashed image openwrt-ramips-mt76x8-tplink_re305-v3-squashfs-factory.bin to my RE305-v3 device through the web interface and it appears to have flashed OK but upon reboot it was no longer reachable on anything except ssh on default IP I connected to it via ssh and a netstat showed there were no ports open on 80 or 443 and the /web directory was competely empty.

I'm now about to solder a serial adaptor to it and try and recover it. Did I get it completely wrong, I thought the images above are a working dd-wrt firmware for the RE305-v3. What gives?

You have installed a snapshot image. Read the link for instructions how to install Luci, which is not installed by default in snapshots.

1 Like

It's working as intended. Development snapshots have no web interface. If you can get in through SSH why start soldering?

Thanks for the clarification guys. I obviously totally misunderstood what this firmware was all about. I expected an image that had web functionality out of the box (even if still under development) and could be used as a replacement for the OEM TP-Link firmware. I don't have a dev environment setup and I'm unsure how to get Luci installed, hence why I hoped that there would be a firmware image with Luci web baked in.

The reason I had to solder up the serial is that I may have messed up the boot while experimenting with firmwares :open_mouth: The good thing is that I can now use serial to bring up the device with TFTP and initramfs images and recover it.

I'm now trying to figure out how to restore the original OEM firmware version 1.1.1 (so that it leaves me the option to upgrade to a later version through the web) but whatever I do it's a dead end. The OEM kernel starts to boot but the filesystem is mising and it kernel panics. I'm not sure how the OEM firmware image is mangled before it is flashed, the OEM firmware is not accepted by sysupdate as is or after removing it's header and running sysupdate -F or mtd write leads to a kernel with no filesystem and kernel panic.In hindsight I should have dumped the entire EEPROM chip before flashing anything so I have a full backup, oh well, live and learn. I'll keep banging on for a while and see what I can do.

Installing LuCI is documented in the wiki.

1 Like

FYI I managed to successfully revert back to OEM firmware on my v3 after flashing ddwrt firmware. It wasn't an easy journey but it's doable. After reverting, it still had my old configuration saved (old SSID/password/settings) presumably because they are stored on a separate partition that had not been reflashed.

The process I came up to revert was this. I downloaded TP Link OEM firmware v1.1.1 and extracted the kernel and the squashfs from it (the offsets and lengths of these are listed in the header inside the firmware file in human readable form). I then reassembled these two into a new file such as the kernel is at offset 0 and squashfs starts at offset 0x100000 and in between the end of the kernel and start of squashfs the file is padded with 0xff

Next I tftpbooted the device with an initramfs-kernel and uploaded the prepared file to /tmp then used "mtd write <filename> firmware" to flash it. Rebooted and the repeater now run OEM firmware 1.1.1 with all my old settings. I didn't see any errors when watching the serial boot log.

I then went into the firmware upgrade page and it showed firmware version was 2.0.0 so trying to flash OEM firmware 1.1.5 failed as expected. Rebooted and dropped into u-boot menu (you need to have serial soldered to the board for this). The software version is stored in flash at offset 0x7c4208 as ascii string "soft_ver:2.0.0" so I used "spi write 7c4211 31" to modify "2.0.0" to "1.0.0" however upon rebooting and going into the firmware upgrade for some reason it showed firmware version 0.0.0 (I suspect there may be a checksum of the flash area that invalidated the data). Regardless with version 0.0.0 the OEM upgrade through the Web to version 1.1.5 succeded.

1 Like

Do you mean the kernel isn't even starting to load at all, or it starts and then freezes because it can't find a filesystem? You may have somehow flashed a bad firmware.

Since you have the serial setup, try setting up a tftp server on that can serve out an initramfs image (from here and you must connect your RE305-V3 with ethernet cable the same network your tftp server runs on.

When you turn on the RE305 with serial connected press 4 as it starts up to drop into the u-boot menu
type "tftpboot 82000000 openwrt-ramips-mt76x8-tplink_re305-v3-initramfs-kernel.bin" and the serial port should show ####### progress as the image downloads. Then type "bootm" to boot it.

Once booted, in the serial console type "cd /tmp" and use "wget http://xxxx/openwrt-ramips-mt76x8-tplink_re305-v3-squashfs-sysupgrade.bin" where xxxx is a local IP address (192.168.0.x) of a http server that can serve this image

Once you have that in /tmp you can flash it with "sysupgrade openwrt-ramips-mt76x8-tplink_re305-v3-squashfs-sysupgrade.bin"

Hope this helps. Alternativley you can try my instructions above to revert to OEM firmware.
Word of caution, when in u-boot menu DO.NOT.USE. "erase" command, it will wipe the flash including u-boot and your device becomes a brick, you will need to use special hardware to re-write your flash chip! Ask me how I know that and how much fun I had desoldering the flash chip from the board to get it back to working ,)

1 Like

Thanks you, i've resolved

I have mapped out the entire FLASH layout of an OEM RE305-v3 so in priciple you could start with a fully erased chip and return back to a fully functional device. There is just one small area I need assistance with. Can someone please run this command and send me the output. Thanks in advace :slight_smile:

dd if=/dev/mtd0 bs=256 skip=31970 count=5 | gzip - | hexdump -C

I'm happy to share my results if anyone is interested.