TP-Link MR200 firmware update


#81

@jmpcarceles you can try open up the metal shield and take photos of the chip and pcb layout. Just pry them open. That way we can see more details about your device. The motherboard version is probably printed as well.
BTW did you do a full erase of the ROM. It could also be due to writing to ROM problem. So a read verify should confirm the write. Something else you can do is use another flash chip and see if that can solve the problem. What is the SPI flash chip that you have on the router?


#82

@gurangax
I used the same method to do the tests, erase, verify, write, verify.
Only the revert to isp dump works.

These are the images of muy PCB:

https://www.mediafire.com/view/ff8dxdd3lt8w2de

The flash chip is a WINBOND W25Q64FVSIG, it works well with isp fw.
This the isp fw dump:

https://www.mediafire.com/download/5gdshlvkrv4d7ev

Thx


#83

@jmpcarceles

On the other side of the board are the main ICs. you can remove the metal covering and show the markings of the chips. The bottom IC which is metal covered is just the 5Ghz chip. Have you backed up the OTP side of the SPI flash? Does it contain anything? If the device has the same hardware then I would think there is something wrong with the SPI flash, probably the OTP partition, because there is no other reason for it not to work with stock TP-Link firmware.


#84

@gurangax

Main ICs MT7620A

https://www.mediafire.com/view/mfv98frm57csdyn

What's OTP? And how can i backup it?

I soldered 4 pins to serial and use USB-TTL adapter to read log, but it shows unreadable characters, i tried several baudrates but no success, i don't know whats happening, :weary:


#85

Hi @gurangax,

I resoldered again serial port pins.
Now it works well and i can read the bootlog.
I will report my progress when receive my new soic8 clip.

Best regards.


#86

@jmpcarceles
Your device looks identical to mine, so there should be no reason for it to not work with stock tp-link firmware, unless maybe your ISP has written on the OTP of the SPI flash, that will probably cause it not able to use stock tp-link fw.

OTP is the one time programming on the SPI flash chip. I suggest that you get another SPI chip which has not been OTP written and use it for stock tp-link fw. Those are just some protection from your ISP to avoid device tampering.


#87

There is another thing that you can try, swap the working bootloader from your ISP into stock tp-link fw.


#88

@gurangax

What would this swap be for? To flash the stock dump with external programmer? Or to load the stock fw through tftp?

What would be achieved with the bootloder swap?

Thx


#89

To load stock with tftp. It is just a feeling, if lucky you may be able to bypass the ISP protection.


#90

@gurangax

where is bootloader located into rom dump?
Are the same addresses like a stock firmware loaded through web ui?
These are the instructions from openwrt page:

  1. cut the tp-link header from the beginning of the downloaded stock firmware (the first 0x200 bytes)

  2. now extract the bootloader from the stock firmware (the first 0x20000 bytes).

Then, i will cut first 0x20200 bytes from tplink firmware, next copy 0x7B0000 bytes, paste before 0x20000 bootloader isp dump, resulting 8.192 bytes file to load through tftp, is it?


#91

bootloader or Uboot is located starting at 0x200 end at 0x20200 so bootloader size is 0x20000 bytes. So you need to remove the 0x200 bytes header first, and then delete everything after the 0x20000 bytes. Then paste the tp-link firmware without bootloader after the ISP bootloader. The process is just the same, but stock firmware from tp-link web includes the LTE modem firmware as well so it is much bigger in size. you only need to get the content starting from 0x20200 until 0x7d0200. The size of the firmware doesn't matter very much since the copying process is only until 0x7d0000 if i remember it correctly. The partition from 0x7d0000 till 0x7fffff are read only by default, so they are never touched during a flash. These are the partitions for router settings and datas.

Let me know if you need me to make the correct file for you. There are 2 kinds of flash you can try,

  1. by tftp
  2. by external programmer - but you need to use the stock dump earlier and swap the bootloader with your ISP bootloader. For this method you need a file of size 8,192 Kb

#92

@gurangax

I tried to make my own file, but i'm not so sure if it's correct, could you make a file to compare with mine?
I make a file with C2V1stock_dump and another with tplink stock fw_160412.
i have a doubt about C2V1stock_dump, i've saw the xml config data is located at 0x7C0000, but in the isp dump xml is located at 0x7E0000, into mtd3,4,5 read only partitios.
So, if i flash via tftp stock dump with isp bootloader, the xml data will be duplicated, could this be a problem?, could it be better to use a tplink fw to swap bootloader?.

Thx.


#93

Those last 3 partitions will never be touched. they are read only by default. One way to rewrite them is by external programmers. I prefer writing those last 3 partitions as well by using external programmers, this is to make sure that no ISP settings remain in there, and use c2v1 stock dump.