@jmpcarceles you can try open up the metal shield and take photos of the chip and pcb layout. Just pry them open. That way we can see more details about your device. The motherboard version is probably printed as well.
BTW did you do a full erase of the ROM. It could also be due to writing to ROM problem. So a read verify should confirm the write. Something else you can do is use another flash chip and see if that can solve the problem. What is the SPI flash chip that you have on the router?
@gurangax
I used the same method to do the tests, erase, verify, write, verify.
Only the revert to isp dump works.
These are the images of muy PCB:
https://www.mediafire.com/view/ff8dxdd3lt8w2de
https://www.mediafire.com/view/2bywb92z381mooo
The flash chip is a WINBOND W25Q64FVSIG, it works well with isp fw.
This the isp fw dump:
https://www.mediafire.com/download/5gdshlvkrv4d7ev
Thx
On the other side of the board are the main ICs. you can remove the metal covering and show the markings of the chips. The bottom IC which is metal covered is just the 5Ghz chip. Have you backed up the OTP side of the SPI flash? Does it contain anything? If the device has the same hardware then I would think there is something wrong with the SPI flash, probably the OTP partition, because there is no other reason for it not to work with stock TP-Link firmware.
Main ICs MT7620A
https://www.mediafire.com/view/mfv98frm57csdyn
What's OTP? And how can i backup it?
I soldered 4 pins to serial and use USB-TTL adapter to read log, but it shows unreadable characters, i tried several baudrates but no success, i don't know whats happening, 
Hi @gurangax,
I resoldered again serial port pins.
Now it works well and i can read the bootlog.
I will report my progress when receive my new soic8 clip.
Best regards.
@jmpcarceles
Your device looks identical to mine, so there should be no reason for it to not work with stock tp-link firmware, unless maybe your ISP has written on the OTP of the SPI flash, that will probably cause it not able to use stock tp-link fw.
OTP is the one time programming on the SPI flash chip. I suggest that you get another SPI chip which has not been OTP written and use it for stock tp-link fw. Those are just some protection from your ISP to avoid device tampering.
There is another thing that you can try, swap the working bootloader from your ISP into stock tp-link fw.
1 Like
What would this swap be for? To flash the stock dump with external programmer? Or to load the stock fw through tftp?
What would be achieved with the bootloder swap?
Thx
To load stock with tftp. It is just a feeling, if lucky you may be able to bypass the ISP protection.
where is bootloader located into rom dump?
Are the same addresses like a stock firmware loaded through web ui?
These are the instructions from openwrt page:
-
cut the tp-link header from the beginning of the downloaded stock firmware (the first 0x200 bytes)
-
now extract the bootloader from the stock firmware (the first 0x20000 bytes).
Then, i will cut first 0x20200 bytes from tplink firmware, next copy 0x7B0000 bytes, paste before 0x20000 bootloader isp dump, resulting 8.192 bytes file to load through tftp, is it?
bootloader or Uboot is located starting at 0x200 end at 0x20200 so bootloader size is 0x20000 bytes. So you need to remove the 0x200 bytes header first, and then delete everything after the 0x20000 bytes. Then paste the tp-link firmware without bootloader after the ISP bootloader. The process is just the same, but stock firmware from tp-link web includes the LTE modem firmware as well so it is much bigger in size. you only need to get the content starting from 0x20200 until 0x7d0200. The size of the firmware doesn't matter very much since the copying process is only until 0x7d0000 if i remember it correctly. The partition from 0x7d0000 till 0x7fffff are read only by default, so they are never touched during a flash. These are the partitions for router settings and datas.
Let me know if you need me to make the correct file for you. There are 2 kinds of flash you can try,
- by tftp
- by external programmer - but you need to use the stock dump earlier and swap the bootloader with your ISP bootloader. For this method you need a file of size 8,192 Kb
I tried to make my own file, but i'm not so sure if it's correct, could you make a file to compare with mine?
I make a file with C2V1stock_dump and another with tplink stock fw_160412.
i have a doubt about C2V1stock_dump, i've saw the xml config data is located at 0x7C0000, but in the isp dump xml is located at 0x7E0000, into mtd3,4,5 read only partitios.
So, if i flash via tftp stock dump with isp bootloader, the xml data will be duplicated, could this be a problem?, could it be better to use a tplink fw to swap bootloader?.
Thx.
Those last 3 partitions will never be touched. they are read only by default. One way to rewrite them is by external programmers. I prefer writing those last 3 partitions as well by using external programmers, this is to make sure that no ISP settings remain in there, and use c2v1 stock dump.
I`ve breaked mine mr200 and tried a lot to revert it to stock (using SPI programming) but it doesn't work and modem/router does not boot. (antenna LEDs blink once and nothing.)
could you please put the firmware file that you made?
Flashing this router looks quite tricky from what I read.
Have there been any progress?
I have MR200 v1 with custom Orange firmware on which oem fw update doesnt work.
Can someone share a safe method for flashing this kind of device? Preferably with prepared and tested files already, as I dont have experience with hexediting mentioned in some guides. Thanks.
The problem is, I don't have that specific Orange MR200 device and can only guess based on stock TP-Link MR200 which is officially supported by openwrt. If I can get my hands on an Orange MR200 router, then it will help very much.
There is two version of tp-link archer mr200 v1
Archer MR200(EU) V1
&
Archer MR200_V1
I don't know what is the actual difference but you can't use eu firmware for non-eu or vice versa...
Tp-link firmware doesn't allow this naturally but if you do that using tftp or other methods you will soft-brick your router!
Hi gurangax
could you please make a "squashfs-sysupgrade.bin" for me?
im using archer mr200 v1 blue screen.
this link is for stock firmware " https://static.tp-link.com/Archer_MR200(EU)_V1_160905_1476936302791w.zip "
and this is sysupgrade one " http://downloads.openwrt.org/releases/19.07.3/targets/ramips/mt7620/openwrt-19.07.3-ramips-mt7620-ArcherMR200-squashfs-sysupgrade.bin "
please.
thank you
it is easy to do, the guide should be sufficient, currently I am too busy to do it, maybe when I have more free time I will try it.
Regards
thanks,
cuz i couldn't do that.
i can't export the bootloader from stock firmware.
thank you if you do