There is another thing that you can try, swap the working bootloader from your ISP into stock tp-link fw.
1 Like
What would this swap be for? To flash the stock dump with external programmer? Or to load the stock fw through tftp?
What would be achieved with the bootloder swap?
Thx
To load stock with tftp. It is just a feeling, if lucky you may be able to bypass the ISP protection.
where is bootloader located into rom dump?
Are the same addresses like a stock firmware loaded through web ui?
These are the instructions from openwrt page:
-
cut the tp-link header from the beginning of the downloaded stock firmware (the first 0x200 bytes)
-
now extract the bootloader from the stock firmware (the first 0x20000 bytes).
Then, i will cut first 0x20200 bytes from tplink firmware, next copy 0x7B0000 bytes, paste before 0x20000 bootloader isp dump, resulting 8.192 bytes file to load through tftp, is it?
bootloader or Uboot is located starting at 0x200 end at 0x20200 so bootloader size is 0x20000 bytes. So you need to remove the 0x200 bytes header first, and then delete everything after the 0x20000 bytes. Then paste the tp-link firmware without bootloader after the ISP bootloader. The process is just the same, but stock firmware from tp-link web includes the LTE modem firmware as well so it is much bigger in size. you only need to get the content starting from 0x20200 until 0x7d0200. The size of the firmware doesn't matter very much since the copying process is only until 0x7d0000 if i remember it correctly. The partition from 0x7d0000 till 0x7fffff are read only by default, so they are never touched during a flash. These are the partitions for router settings and datas.
Let me know if you need me to make the correct file for you. There are 2 kinds of flash you can try,
- by tftp
- by external programmer - but you need to use the stock dump earlier and swap the bootloader with your ISP bootloader. For this method you need a file of size 8,192 Kb
I tried to make my own file, but i'm not so sure if it's correct, could you make a file to compare with mine?
I make a file with C2V1stock_dump and another with tplink stock fw_160412.
i have a doubt about C2V1stock_dump, i've saw the xml config data is located at 0x7C0000, but in the isp dump xml is located at 0x7E0000, into mtd3,4,5 read only partitios.
So, if i flash via tftp stock dump with isp bootloader, the xml data will be duplicated, could this be a problem?, could it be better to use a tplink fw to swap bootloader?.
Thx.
Those last 3 partitions will never be touched. they are read only by default. One way to rewrite them is by external programmers. I prefer writing those last 3 partitions as well by using external programmers, this is to make sure that no ISP settings remain in there, and use c2v1 stock dump.
I`ve breaked mine mr200 and tried a lot to revert it to stock (using SPI programming) but it doesn't work and modem/router does not boot. (antenna LEDs blink once and nothing.)
could you please put the firmware file that you made?
Flashing this router looks quite tricky from what I read.
Have there been any progress?
I have MR200 v1 with custom Orange firmware on which oem fw update doesnt work.
Can someone share a safe method for flashing this kind of device? Preferably with prepared and tested files already, as I dont have experience with hexediting mentioned in some guides. Thanks.
The problem is, I don't have that specific Orange MR200 device and can only guess based on stock TP-Link MR200 which is officially supported by openwrt. If I can get my hands on an Orange MR200 router, then it will help very much.
There is two version of tp-link archer mr200 v1
Archer MR200(EU) V1
&
Archer MR200_V1
I don't know what is the actual difference but you can't use eu firmware for non-eu or vice versa...
Tp-link firmware doesn't allow this naturally but if you do that using tftp or other methods you will soft-brick your router!
Hi gurangax
could you please make a "squashfs-sysupgrade.bin" for me?
im using archer mr200 v1 blue screen.
this link is for stock firmware " https://static.tp-link.com/Archer_MR200(EU)_V1_160905_1476936302791w.zip "
and this is sysupgrade one " http://downloads.openwrt.org/releases/19.07.3/targets/ramips/mt7620/openwrt-19.07.3-ramips-mt7620-ArcherMR200-squashfs-sysupgrade.bin "
please.
thank you
it is easy to do, the guide should be sufficient, currently I am too busy to do it, maybe when I have more free time I will try it.
Regards
thanks,
cuz i couldn't do that.
i can't export the bootloader from stock firmware.
thank you if you do
Hi,
Several months ago, I bricked the MR200 but when I saw that there was a method that didn't require to de-solder anything, I bought the tools I needed to try fixing the modem-router.
My MR200 has spanish ISP limitations but I've been able to flash an official tplink firmware, gob bless the guy who wrote the debricking method 
.
Now the problem that I have is that I'm not able to see the MR200 when is in recovery mode through the tftp server. So I wanted to embed the sysupdate Openwrt file with the bootloader and the other three sections into a new file and flash it with the programmer but the file size doesn't match. Can somebody (@gurangax I invoke you 
) put me in the trace to generate an 8192kb file with Openwrt firmware embedded? Thanks a lot!
Hi @jmpcarceles,
Could you share again de Amena firmware dump? I would like to know if my issues with tftp are related with some corrupted data. Thanks!
Hi again,
I've been able to install OpenWrt fixing the issues that i had with the tftp server. I had to use the ISP bootloader and configure manually the Defaul Gateway in ethernet properties. Now everything works like a charm 
I think the best way is to use the original bootloader for your device to avoid bricks. I realized that they are several EEPROM IC which is used by this router, and using the wrong bootloader might soft brick it since its not made for that particular IC.
The easyest way to upload any offical version from tp-link is to edit tp-link files with an HEX editor and remove the first 512 bytes, 0x200 in hexadecimal.
Then you rename the file as ArcherC2V1_tp_recovery.bin
Chage the IP address of your PC to 192.168.0.66 mask 255.255.252.0 and share the file with a TFTP server.
Power on the MR200 with the WPS button pressed till the power led flashes, then wait till the router restarts and all the leds light up.
I have tested several times and changed from all the version looking if the VPN passthrough issue was solved in any of them. I have no success in that.
1 Like
Have you done this method with spanish MR200 from Amena/Orange? Is everything working?
I would like to know the way to flash spanish MR200 from Amena/Orange to official last version.
Thanks.