TP-Link MR200 firmware update

Installing and Using OpenWrt
74

@gurangax

First you say that "back_to_stock" is meant for webflash with luci.

After that, you have give me a link for a file for flashing with TFTP (160905 V1 versión)

I will download this night the file that you linked and check md5.
With TFTP if the file is not good for my hardware ... I supposed that I will not break my lan ports like last time with the old router? With webflash with luci, in my old router, I "broke" my lan ports. Could I get the same problema with TFTP? (I mean, does TFTP and LUCI flash different partitions, or all the same?)

Thanks

So there is no option to flash back_to_stock from

75

@ortegafernando

Please understand, whichever flash method that you use will have the same effect if the firmware is faulty. The fault is not in the flashing method but the firmware itself. Please also understand that "back_to_stock" file is not recommended by me simply because I will not be able to use tftp after flash with it. You may be able to use webflash with it, I can not guarantee it.

I have provided you with the file to revert back to stock tp-link, this is one of options to flash to stock.

76

Hi, this file's md5 is: 7ee0e69a81e1e346d6f7cc4956b8d32f
So it is different from the old one.

I want to ensure myself:

  1. your file is for TFTP flash method, so it will be almost impossible to brick my router. If anything is wrong, I could flash again with TFTP the openwrt firmware, couldn't I ?
  2. this file could be used also to update a ISP router to an official tplin firmware, couldn't it ?
  3. Have you finally check this file in your router? PLease help me.

Thanks.

77

of course its different, its not even old one. please don't compare them. The old one (back_to_stock) is not from me.

  1. If during firmware flash you somehow have power failure then you will brick the device. This will also happen with any firmware.
  2. This firmware is not to convert ISP to stock TP-Link. It is a stock firmware itself. You want to convert ISP to stock use external programmer.
  3. I have checked with my router no problem. I will not post a file if it is not working.
78

Thanks a lot. I will try

79

Hi guys.

I'm back again, sorry for the delay.

Finally i desoldered rom chip with my hot air gun.

I read it successfully and made a dump file.

MR200V1_Amena_dump

I used a ch341a miniprogrammer and soic8 adaptor like those:

ch341_miniprogrammer

Soic8_adaptor

I read it twice with two different sw, AsProgrammer_1.4.0 and Ch341_Ver_1.34.
I made a comparison to be sure and was successful.

@ortegafernando, i hope it would help to you.

Good luck.

80

Hi @ortegafernando, @Gurangax

I have good and bad news.
After desolder rom chip.
I successfully flashed it without issues using my CH341A miniprogrammer.
But after reinstall the chip i have no success with stock dumps.

I explain my process as following:

1.- I use C2V1Stock_dump, posted earlier in this thread. Results:
- Router won’t boot
- No power led
- No 4G led
- Lan ports didn’t work
- Only wifi led lights on.
- Reset/WPS button Works, if i long press it router
reboots and if short press it WPS led lights on.

2.- Then i tried Heinz firmware Archer MR200 dump from this link. Results:

            - Router won’t boot
            - Any leds ligths on.
            - No lan, no wifi, no 4G.
            - Reset button press, nothing happens.

Each test involved desoldering and soldering rom chip (4 times) so that i thought i have fried the pcb router.

At this point only i could do was to restore my ISP backup dump, delete any evidence of manipulation, and send it to the SAT, because it is still under warranty, and pray.

But, surprissingly the ISP backup flash restored my router, all working like a charm.

I don’t understand why the 2 stock dumps doesn’t work. I think it is related to driver version or hardware difference, i don’t know because the back sticker shows “Archer MR200 ver:1.0”.

I want to upgrade my router to openwrt fw through tftp, but i’m not sure if it causes LAN port not working or something similar.

I read (with translator) at this polish fórum thread a Heinz post, that tells is posible to rewrite the 3 last partitions mtd3,4,5 through uboot with uart-ttl connected to serial port, but i don’t know how. But the question is what mtd3,4,5 partitions are the correct one.

I don’t know if there are any way to know what’s the differences between the ISP dump I posted and the stock dump, in order to know why stock dump doesn’t works, or to make a safe hybrid version, that allows to upgrade with oficial TPLINK fw.

But, at the moment, i will not try to do any flashing again, until i manage to flash the chip without having to desolder it using soic8 clip, the test desoldering and soldering the chip are very risky and I have reached my limit, 3 desolders and 3 solders are enough.

Best regards.

81

@jmpcarceles you can try open up the metal shield and take photos of the chip and pcb layout. Just pry them open. That way we can see more details about your device. The motherboard version is probably printed as well.
BTW did you do a full erase of the ROM. It could also be due to writing to ROM problem. So a read verify should confirm the write. Something else you can do is use another flash chip and see if that can solve the problem. What is the SPI flash chip that you have on the router?

82

@gurangax
I used the same method to do the tests, erase, verify, write, verify.
Only the revert to isp dump works.

These are the images of muy PCB:

https://www.mediafire.com/view/ff8dxdd3lt8w2de

https://www.mediafire.com/view/2bywb92z381mooo

The flash chip is a WINBOND W25Q64FVSIG, it works well with isp fw.
This the isp fw dump:

https://www.mediafire.com/download/5gdshlvkrv4d7ev

Thx

83

@jmpcarceles

On the other side of the board are the main ICs. you can remove the metal covering and show the markings of the chips. The bottom IC which is metal covered is just the 5Ghz chip. Have you backed up the OTP side of the SPI flash? Does it contain anything? If the device has the same hardware then I would think there is something wrong with the SPI flash, probably the OTP partition, because there is no other reason for it not to work with stock TP-Link firmware.

84

@gurangax

Main ICs MT7620A

https://www.mediafire.com/view/mfv98frm57csdyn

What's OTP? And how can i backup it?

I soldered 4 pins to serial and use USB-TTL adapter to read log, but it shows unreadable characters, i tried several baudrates but no success, i don't know whats happening, :weary:

85

Hi @gurangax,

I resoldered again serial port pins.
Now it works well and i can read the bootlog.
I will report my progress when receive my new soic8 clip.

Best regards.

86

@jmpcarceles
Your device looks identical to mine, so there should be no reason for it to not work with stock tp-link firmware, unless maybe your ISP has written on the OTP of the SPI flash, that will probably cause it not able to use stock tp-link fw.

OTP is the one time programming on the SPI flash chip. I suggest that you get another SPI chip which has not been OTP written and use it for stock tp-link fw. Those are just some protection from your ISP to avoid device tampering.

87

There is another thing that you can try, swap the working bootloader from your ISP into stock tp-link fw.

1 Like
88

@gurangax

What would this swap be for? To flash the stock dump with external programmer? Or to load the stock fw through tftp?

What would be achieved with the bootloder swap?

Thx

89

To load stock with tftp. It is just a feeling, if lucky you may be able to bypass the ISP protection.

90

@gurangax

where is bootloader located into rom dump?
Are the same addresses like a stock firmware loaded through web ui?
These are the instructions from openwrt page:

  1. cut the tp-link header from the beginning of the downloaded stock firmware (the first 0x200 bytes)

  2. now extract the bootloader from the stock firmware (the first 0x20000 bytes).

Then, i will cut first 0x20200 bytes from tplink firmware, next copy 0x7B0000 bytes, paste before 0x20000 bootloader isp dump, resulting 8.192 bytes file to load through tftp, is it?

91

bootloader or Uboot is located starting at 0x200 end at 0x20200 so bootloader size is 0x20000 bytes. So you need to remove the 0x200 bytes header first, and then delete everything after the 0x20000 bytes. Then paste the tp-link firmware without bootloader after the ISP bootloader. The process is just the same, but stock firmware from tp-link web includes the LTE modem firmware as well so it is much bigger in size. you only need to get the content starting from 0x20200 until 0x7d0200. The size of the firmware doesn't matter very much since the copying process is only until 0x7d0000 if i remember it correctly. The partition from 0x7d0000 till 0x7fffff are read only by default, so they are never touched during a flash. These are the partitions for router settings and datas.

Let me know if you need me to make the correct file for you. There are 2 kinds of flash you can try,

  1. by tftp
  2. by external programmer - but you need to use the stock dump earlier and swap the bootloader with your ISP bootloader. For this method you need a file of size 8,192 Kb
92

@gurangax

I tried to make my own file, but i'm not so sure if it's correct, could you make a file to compare with mine?
I make a file with C2V1stock_dump and another with tplink stock fw_160412.
i have a doubt about C2V1stock_dump, i've saw the xml config data is located at 0x7C0000, but in the isp dump xml is located at 0x7E0000, into mtd3,4,5 read only partitios.
So, if i flash via tftp stock dump with isp bootloader, the xml data will be duplicated, could this be a problem?, could it be better to use a tplink fw to swap bootloader?.

Thx.

93

Those last 3 partitions will never be touched. they are read only by default. One way to rewrite them is by external programmers. I prefer writing those last 3 partitions as well by using external programmers, this is to make sure that no ISP settings remain in there, and use c2v1 stock dump.