TP-Link Archer MR600 exploration

Is there anyway to revert back to the original firmware ? @relghuar
I've used the option "1" and if I'm flashing original stock firmware it says "Bad magic number"
And flashing the same tplink image through sysupgrade doesn't work...

I had to open mine

Yes there is, I've done it at least once myself, although it's not totally straightforward.
You need to unpack the .bin file from tp-link zip package, and then extract kernel and rootfs images from there, ideally as a single image which can then be flashed from openwrt (that you can boot directly from u-boot using command line, see earlier posts).
Command I used to get firmware.bin out was simple, should work just fine for you as that still seems to be latest version, at least from german site - just MAKE SURE you have the V2 hardware of course! (

dd if="Archer_MR600v2_1.6.0_0.9.1_[220105-rel58321]_up_boot_Release_2022-01-05_16.41.23.bin" of=firmware.bin bs=$((0x100)) skip=$((0x202)) count=$((0xfa00))

Now you can simply upload that firmware.bin into the openwrt-booted router (via scp for example) and use mtd command to write it directly to "firmware" partition, something like this:

mtd write firmware.bin firmware

A simple reboot afterwards should boot stock firmware.

PS: I'm pretty sure there should be a way to upload and flash that firmware.bin directly from u-boot command line, but I have no way to test it anymore so I won't speculate on the required procedure :slight_smile: Someone with easy access to serial console and an hour or two to kill should be able to find out easily.

1 Like

You're a life saver, Thank you !

Everybody and their neighbors here seem to have successfully booted their Archer MR600 v2 with OpenWrt, and here I am with LZMA ERROR 1 when I'm trying to do so.

I've tried openwrt-22.03.3-ath79-generic-openmesh_mr600-v2-initramfs-kernel.bin and openwrt-ramips-mt7621-tplink_mr600-v2-eu-initramfs-kernel.bin with various load addresses, 0x81001000, 0x80001000, 0x80060000 and even the weird 0x0c00000 that the official OpenWrt page about mr600 mentions.

Whatever attempt I try ends up with an LZMA ERROR 1.

I am 100% sure it is an Archer MR600 Ver 2.0.

Found the right address thanks to this post [Solved] Uboot - Not enough buffer for decompression LZMA ERROR 1 - #29 by numero53
tftp 0x80a00000 openwrt.bin did the trick.

1 Like

Your method works like a charm, it actually helped me unbrick the device from a saveenv. Now I use it to toy with 2021's firmware squashfs, only to see if there are security issues in there.
This Makefile made my life easier, HTH anyone:

BS = $(shell printf "%d" 0x100)
SKIP = $(shell printf "%d" 0x202)
FW = "Archer_MR600v2_1.3.0_0.9.1_[210208-rel61056]_up_boot_Release_2021-02-08_17.06.35.bin"
TARGET = "outcast:tmp/"
MODFW = "Archer_iMil.bin"

all:	copy

	dd if=${FW} of=firmware.bin bs=${BS} skip=${SKIP}

	dd if=firmware.bin of=${MODFW} bs=1 count=2097152

squash:	uboot
	rm -f modified_squashfs.img
	mksquashfs squashfs_extract modified_squashfs.img -comp xz -no-fragments

glue:	squash
	cat modified_squashfs.img >> ${MODFW}

copy:	glue
	scp ${MODFW} ${TARGET}
	echo "press 4 at u-boot to get to the prompt, then"
	echo "setenv ipaddr"
	echo "setenv serverip"
	echo "tftp 0x80a00000 openwrt.bin; bootm"

The machine I build on is not the machine with the serial plugged in, hence the scp.
On the remote serial machine, openwrt.bin is a kernel+initrd snapshot.

1 Like

How's the WiFi for you ? Is it horrible like us ?

1 Like

Hi! Sorry for stepping in like this :} But from the discussion above I have not understood if we need serial access to the device in order to flash OpenWrt on the MR600, or if it can be done via LAN.

check this:

I just signed up to the forums to say the guides here are very helpful, it lead to my first time soldering.

Was going to solder pins but realised the pictures showing the serial pinout were taken from the side with the heat sinks removed. No space on the back for pins unless I cut a large-ish hole so I got creative with the cable installation:

I also wrote a small script to give the signal bars some functionality. I have a non-flashed MR600 to compare and believe the strength is determined by RSSI, however the script can be adapted for any values returned by UQMI signal info. Put the script in a non-temp folder and add it as a scheduled task. I set mine to run every 2 minutes:


RSSI=$(uqmi -d /dev/cdc-wdm0 --get-signal-info | grep rssi | grep -Eo '[0-9]+')

if [[ $RSSI -le "95" ]]; then

if [[ $RSSI -le "85" ]]; then

if [[ $RSSI -le "75" ]]; then

while [[ $i -le 3 ]]; do
	if [[ $STRENGTH -ge $i ]]; then
		echo default-on > /sys/class/leds/white:signal$i/trigger
		echo none > /sys/class/leds/white:signal$i/trigger

	i=$((i + 1))

UQMI does seem to timeout returning info after a while, it seems the device gets busy with a "failed to connect to service" message, the data connection continues to works fine though.

The grafana dashboard is coming along nicely too when UQMI isn't timing out...

hi there
have a question and want to use ch341 programmer: to get rid off isps firmware and load the oryginal tplinks one would it be something like for unbricking the mr200 v1 ? anyone tried or have some ideas?

  • Export your Router's configuration by doing dd if=MR600_dump.bin of=Configurations.bin bs=64k count=3 skip=125

  • Cut the header from the oryginal mr600v2 tplinks firmware by doing dd if=stock.bin of=stock_NoHeader.bin bs=512 skip=1

  • Export boot + router firmware from the file by doing dd if=stock_NoHeader.bin of=stock_BootFW_nomodem.bin bs=64k count=125

  • Merge boot + router firmware with your Router Configuration by doing cat stock_BootFW_nomodem.bin Configurations.bin > Firmware.bin

would this be worth trying ?

I might take a look at implementing support for MR600v1 soonish.
Opening it to get to the serial port was annoying tbh :sweat_smile:
it's on the bottom of the board and there is a silver plastic hinge or something clamping together top and bottom part of the case that was annoying to get out. (I bend it with the top part of the case first, so I might not be able to get it back in)

Atleast others will be able to install fw through tftp instead.


can confirm, it is still broken
currently the line to edit is 570

then run (to add luci and support for the lte module)
make image PROFILE="tplink_mr600-v2-eu" PACKAGES="luci luci-proto-qmi"
and flash the image

thank you @relghuar for your work!
saved me alot of time

here's a pic of the serial pins, since the other links seem to be down


Awesome work guys, looking forward to trying it!

Is sending SMS possible with this build? Via AT to the modem maybe?

There are different possibilities to configure the wan interface. With the default config there is a tool (sms-tool) and external luci app but I use ModemManager(mmcli) with a script to forward sms by mail.

Hi @Djfe

I have an Archer MR600(EU) v1. Is there any way I can help with implementing OpenWRT support for it?

I only want to use it in bridge mode. My TV has a crappy wifi interface, so I want to connect it to the MR600 using ethernet, and connect the MR600 to my home wifi network.

I didn't find enough time to look at v1, yet.
Last time I stopped because I'm trying to figure out whether the modem works on stock rom.
Right now the mr600 v1 doesn't detect my nano sim (with adapter). Could be due to the adapter not sure. I want to know whether it works before figuring out implementing OpenWRT support.
Anyone else has problems with the device not detecting your sim card?

For your use case you could use any other router that already has support.
The MR600 v1 is only feasible if I can find a way to install openwrt without serial access.
I don't want people to need to open the case to install openwrt since it damages the case.