Hello, I tried to strip the original firmware from here: https://static.tp-link.com/2020/202011/20201127/RE450_V4_201105.zip (cut all until the Bytes "01 00 00 TP-Link" with an hex-editor). managed to flash it with serial and tftp, then I got an error in the serial console:
List of all partitions:
1f00 128 mtdblock0 (driver?)
1f01 768 mtdblock1 (driver?)
1f02 5248 mtdblock2 (driver?)
1f03 1984 mtdblock3 (driver?)
1f04 64 mtdblock4 (driver?)
No filesystem could mount root, tried: squashfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,2)
The next try was to follow this guide: Archer C6 V2 (EU) bricked/bootloop - #7 by noseran
Also flashed via tftp, but that doesn't look good:
Dragonfly> tftpboot 0x8006000 original_sysupdate.bin
Trying eth0
Checking Link: Up
Checking Duplex: Full
Checking Speed 1000BaseT
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.1.234; our IP address is 192.168.1.1
Filename 'original_sysupdate.bin'.
Load address: 0x8006000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
######################
done
Bytes transferred = 5099521 (4dd001 hex)
Dragonfly> tftpboot 0x8006000 original_sysupdate.bin&&erase 0x9f020000 +$filesize
Usage:
tftpboot- boot image via network using TFTP protocol
Dragonfly> erase 0x9f020000 +$filesize
Bad address format
Dragonfly> erase 0x9f020000 +0x4dd001
Erase Flash from 0x9f020000 to 0x9f4fffff in Bank # 1
First 0x2 last 0x4f sector size 0x10000
79
Erased 78 sectors
Dragonfly> cp.b 0x8006000 0x9f020000 0x4dd001
Copy to Flash... write addr: 9f020000
done
Dragonfly> boot
## Booting image at 9f020000 ...
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80191910) ...
## Giving linux memsize in bytes, 67108864
Starting kernel ...
Booting QCA956x
Linux version 2.6.31--LSDK-9.2.0_U5.508 (tp-link@tplink) (gcc version 4.3.3 (GCC) ) #1 Wed Dec 20 20:19:43 CST 2017
flash_size passed from bootloader = 8
Ram size passed from bootloader =67108864
CPU revision is: 00019750 (MIPS 74Kc)
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Zone PFN ranges:
Normal 0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS0,115200 root=31:2 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),768k(kernel),5248k(rootfs),1984k(config),64k(art) mem=64M
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 48308k/65536k available (1627k kernel code, 17160k reserved, 417k data, 108k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
r4k_clockevent_init: Ignoring int_usable failure
Calibrating delay loop... 387.07 BogoMIPS (lpj=774144)
Mount-cache hash table entries: 512
****************ALLOC***********************
Packet mem: 8022c3c0 (0xe00000 bytes)
********************************************
NET: Registered protocol family 16
ath_pcibios_init: bus 0
ath_pcibios_init(255): PCI 0 CMD write: 0x356
registering PCI controller with io_map_base unset
gpio init: JUMP_START: 19, RST_DFT: 6
bio: create slab <bio-0> at 0
pcibios_map_irq: IRQ 76 for bus 0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 94
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
PPP generic driver version 2.4.2
NET: Registered protocol family 24
5 cmdlinepart partitions found on MTD device ath-nor0
Creating 5 MTD partitions on "ath-nor0":
0x000000000000-0x000000020000 : "u-boot"
0x000000020000-0x0000000e0000 : "kernel"
0x0000000e0000-0x000000600000 : "rootfs"
0x000000600000-0x0000007f0000 : "config"
0x0000007f0000-0x000000800000 : "art"
TCP cubic registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
athwdt_init: Registering WDT success
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 108k freed
init started: BusyBox v1.19.4 (2017-12-20 20:23:41 CST)
starting pid 100, tty '': '/etc/rc.d/rcS'
This Board use 2.6.31
xt_time: kernel timezone is -0000
nf_conntrack version 0.5.0 (1024 buckets, 5120 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
insmod: can't insert '/lib/modules/2.6.31/kernel/iptable_filter.ko': No such file or directory
insmod: can't insert '/lib/modules/2.6.31/kernel/iptable_nat.ko': No such file or directory
Lan Domain: tplinkrepeater.net
Lan Domain: www.tplinkrepeater.net
tp_dhcp_hook: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
qca_soc_gmac: Length per segment 1536
956x_GMAC: qca956x_gmac_attach
956x_GMAC: qca956x_set_gmac_caps
Currently in polling mode unit1
qca_soc_gmac: RX TASKLET - Pkts per Intr:100
read flash fail.
MAC:1 Warning: Phy not found!!!
qca_soc_gmac: Max segments per packet : 1
qca_soc_gmac: Max tx descriptor count : 128
qca_soc_gmac: Max rx descriptor count : 128
qca_soc_gmac: Mac capability flags : 2202
956x_GMAC: qca956x_gmac_attach
956x_GMAC: qca956x_set_gmac_caps
Currently in polling mode unit0
Registering AR8033 Phy....
qca_soc_gmac: RX TASKLET - Pkts per Intr:100
read flash fail.
qca_soc_gmac: Max segments per packet : 1
qca_soc_gmac: Max tx descriptor count : 128
qca_soc_gmac: Max rx descriptor count : 128
qca_soc_gmac: Mac capability flags : 2202
956x_GMAC: Serdes PLL is locked value 0x1b838116
athr_gmac_ring_alloc Allocated 2048 at 0x838c4000
sram_desc_cnt 1536,mac Unit 0,Tx r->ring_desc 0xbd000000
athr_gmac_ring_alloc Allocated 2048 at 0x8318f800
sram_desc_cnt 3072,mac Unit 0,Rx r->ring_desc 0xbd000600
956x_GMAC: eth0 in SGMII MODE
athrs_ar8033_reg_init: Done
955x_SGMIIMax resets limit reached exiting...
955x_SGMII::athr_gmac_sgmii_setup Done
Setting Drop CRC Errors, Pause Frames and Length Error frames
Invert Set to 0
956x_GMAC: Enet Unit:0 PHY:0 is UP eth0 SGMII 100Mbps full duplex
956x_GMAC: done cfg2 0x7135 ifctl 0x10000 miictrl
955x_SGMIIMax resets limit reached exiting...
955x_SGMII::athr_gmac_sgmii_setup Done
Setting Drop CRC Errors, Pause Frames and Length Error frames
Invert Set to 1
956x_GMAC: unit 0: phy 0 not up carrier 1
device eth1 entered promiscuous mode
read tp partition address:0x00600000 partition_used_len:0xffffffff len:0x0
[NM_Error](nm_api_readPtnFromNvram) 00133: partition name not found(name:soft-version).
[device_error: sysInfo_init:1470]failed to read software version from flash!
[NM_Error](nm_api_readPtnFromNvram) 00133: partition name not found(name:user-config).
[usrcfg_error: usrconf_load:1157]read from flash failed
load factory setting...
[NM_Error](nm_api_readPtnFromNvram) 00133: partition name not found(name:default-config).
[usrcfg_error: usrconf_load_factory_setting:598]read default-config failed, all reset by hard code.
====>>>>default mac is
====>>>>default mac is
[NM_Error](nm_api_readPtnFromNvram) 00133: partition name not found(name:pin).
[wps_error: ucWps_reset:204]Error: Read pin from flash failed.
[NM_Error](nm_api_writePtnToNvram) 00074: partition name not found.
load factory setting done.
[NM_Error](nm_api_readPtnFromNvram) 00133: partition name not found(name:profile).
[usrcfg_error: usrconf_load_profile:1352]read from flash failed
[NM_Error](nm_api_readPtnFromNvram) 00133: partition name not found(name:product-info).
[device_error: sysmgr_cfg_getProductInfoFromNvram:936]ucm_nvram_proInfoRead() failed.
[NM_Error](nm_api_readPtnFromNvram) 00133: partition name not found(name:default-mac).
failed to read mac from flash
[daemonize:258]recv a pipe message.
httpMudCreate: MUD 0x4b0a60 was created
====>>>>open /tmp/device.info failed
[rpm_wifi_init_rf_band:6237]Can't get /tmp/device.info
[Error]wrpSockInit(): 556 @ g_webToUcmSocket: connect failed 01
[Error]wrpSockInit(): 561 @ g_webToUcmSocket: connect failed 02
[Error]wrpDoSockCmdNew(): 1446 @ wrpSockInit failed
[ERROR][WRP_TRANS_START():1077]: wrpDoSockCmdNew() failed(-1).
[WRP][wrpOpGrpDo:121]Failed trans!
httpServerCreate: try to add port 80
955x_SGMIIMax resets limit reached exiting...
955x_SGMII::athr_gmac_sgmii_setup Done
Setting Drop CRC Errors, Pause Frames and Length Error frames
br0: port 1(eth1) entering forwarding state
wifid[_init_hostapd_devinfo:4859]: Error in /tmp/device-info, use the default value
open /tmp/device_runtime.info file failed
[GPIOD][_gpio_get_system_mode:185]open /tmp/device_runtime.info file failed
[GPIOD][main:607]Error: get sysmode fail
[read_led_config 606]:open ledctrl.config fail
[read_power_config 725]:open fail
[read_acl_config 845]:open fail
[get_next_entry 129]:Too many task module
[task_setup 140]:task module register fail
[get_next_entry 129]:Too many task module
[task_setup 140]:task module register fail
[get_next_entry 129]:Too many task module
starting pid 258, tty '': '/sbin/getty ttyS0 115200'
[task_setup 140]:task module register fail
[SetDropBearPwd 56] Get user info failed.
[dst_read_config 1708]open config file /config/dst.config fail.
read config file fail.
(none) mips #1 Wed Dec 20 20:19:43 CST 2017 (none)
(none) login: wifid[qca_init_platform:4910]: failed to get wifi all config
wifid[main:186]: failed to init platform
restoring factory default...
No Wifi, no webserver and no CLI any more -> bricked 
I'm getting a login prompt at the serial console, but the default admin/admin does not work. I have tried to reset to factory default though.
Desoldering chips is not really an option for my limited skills. What could i try next?
Thx for any help in advance! What did I do wrong?
I searched a lot but couldn't find the Adresses for the V2, only for the V1 and used them, as the memory layout seems to be identical...
