TP Link TL-WA855RE v4 - Info for Devs and help needed

As the mfr firmware didnt do what I needed on this unit, I thought I would give Openwrt a shot. Long story short, my device boots the Uboot menu, but wont boot any further. Im either trying to get the mfr firmware working again OR Openwrt (as a preference). I know this device isnt listed as a supported device, though if anyone wants to/can help, I will give details of what Ive tried and also, for any developers, what I have found out about the device.

What I tried and where Im stuck

I booted the unit when I got serial working and attempted to load openwrt-ramips-mt76x8-tplink_re305-v1-squashfs-factory.bin by choosing option "Load system code to SDRAM via TFTP."

This is now where the box is stuck at since...... (P.S. the full ORIGINAL BOOT, pre trying to update the firmware to Openwrt, is further down this post).

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP.
   a: Load firmware then write to Flash via http(192.168.0.254).
default: 3                                                                    0

3: System Boot system code via Flash.
############gpioMode1 Reg: 0x570544c4
############gpioMode2 Reg: 0x5540554
## Booting image at bc020000 ...
text base: 7a697365
entry point: 39333d65
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 39333d65) ...
## Giving linux memsize in MB, 32

Starting kernel ...

I have tried:

  • Upload 2 x versions of the mfr firmware via tftp and web page (option 1 and a).
  • Upload 2 x versions via option 2.
  • Tried to tfttboot, erase and copy the flash.
 tftpboot 0x80000000 tplinkboot.bin

 netboot_common, argc= 3

 NetTxPacket = 0x81FE2C80

 KSEG1ADDR(NetTxPacket) = 0xA1FE2C80

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done

etc.... (the above all went through successfully)

erase b 0x9f020000 +0x3c0000

 Erase from 0x9F020000 length 0x0 !!
cp.b 0x80000000 0x9f020000 3c0000

 Copy 0x80000000[3932160 byte] to SPI Flash[0x9F020000]....

The system just sits at Starting Kernel with the manufacturers firmware!

I have tried to strip the manufacturers firmware of the 1st (cant remember the amount) X bytes and perform the above. It complains at me that its a bad checksum.

If I install Openwrt via option 2 (Load system code then write to Flash via TFTP)... I get a boot loop with the following error:

3: System Boot system code via Flash.
############gpioMode1 Reg: 0x570544c4
############gpioMode2 Reg: 0x5540554
## Booting image at bc020000 ...
text base: ffffffff
entry point: ffffffff
   Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover
[04020D06][04020D07]
DDR Calibration DQS reg = 00008888

Any ideas or suggestions are welcome, but its not the end of the world if not!! Id love to get OpenWrt working if anyone has any ideas down that route. Im not worried about trying anything, as the device is dead to me and so Im happy to give anything a shot.

FYI, Im technical, but dont know my way around Uboot etc, so any instructions given, please give full commands or if I have to go find something like a memory address, pls explain how I would do that.

Thanks!!!

What I have found out about the device

Hardware Specs

CPU: MT7628 @ 575Mhz
RAM: 32MB
NAND: 256MB

Serial Connection

Uses 3.3v running at 57000 8N1 with no parity/flow control.

Getting serial connected/working and pressing the menu selections can be a bit of a struggle.. you need 3 hands as the menu flashes by so quickly. If you get into the command line (option 4) I would suggest setting setenv bootdelay 15 and saveenv so that you get a 15 second window each time it boots, to select your option (or let it auto select 3).

If the board is plugged into the main unit and drawing its power from the wall plug socket, then the serial interface just sends out gibberish. So you have to have the circuit board removed from the plastic housing etc to get the below out of it:

U-Boot 1.1.3 (Oct 18 2018 - 14:48:52)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81f8c000
flash manufacture id: c8, device id 40 16
find flash: GD25Q32B
*** Warning - bad CRC, using default environment

board_init_r :  load_addr is 81000000
============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 256 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 32 MBytes
Flash component: SPI Flash
Date:Oct 18 2018  Time:14:48:52
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 575 MHZ ####
 estimate memory size =32 Mbytes
RESET MT7628 PHY!!!!!!@@@@@@@@@@@@rt305x_esw_init, 0x64 value:0x5540554
@@@@@@@@@@@@rt305x_esw_init, after tp, 0x64 value:0x5540554

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP.
   a: Load firmware then write to Flash via http(192.168.0.254).
default: 3

You choosed 3
                                                                              0

3: System Boot system code via Flash.
############gpioMode1 Reg: 0x570544c4
############gpioMode2 Reg: 0x5540554
## Booting image at bc020000 ...
text base: 80000000
entry point: 8000c150
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8000c150) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 2.6.36 (ljm@W10549_01) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #1 Fri Dec 13 16:43:50 CST 2019

 The CPU feqenuce set to 580 MHz
CPU revision is: 00019655 (MIPS 24Kc)
Software DMA cache coherency
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock3
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=0000d8c0
Readback ErrCtl register=0000d8c0
Memory: 29836k/32768k available (1889k kernel code, 2876k reserved, 423k data, 132k init, 0k highmem)
Hierarchical RCU implementation.
        RCU-based detection of stalled CPUs is disabled.
        Verbose stalled-CPUs detection is disabled.
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop... 386.04 BogoMIPS (lpj=772096)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
RALINK_GPIOMODE = 570544c4
RALINK_GPIOMODE = 570444c4
***** Xtal 40MHz *****
start PCIe register access
RALINK_RSTCTRL = 2400000
RALINK_CLKCFG1 = fdbfffc0

*************** MT7628 PCIe RC mode *************
PCIE0 no card, disable it(RST&CLK)
bio: create slab <bio-0> at 0
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 58
io scheduler noop registered (default)
Ralink gpio driver initialized
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A
serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
flash manufacture id: c8, device id 40 16
GD25Q32B(c8 40160000) (4096 Kbytes)
mtd .name = raspi, .size = 0x00400000 (4M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 5 MTD partitions on "raspi":
0x000000000000-0x000000400000 : "ALL"
0x000000000000-0x000000020000 : "fs-uboot"
0x000000020000-0x000000100000 : "os-image"
0x000000100000-0x0000003c2000 : "file-system"
mtd: partition "file-system" doesn't end on an erase block -- force read-only
0x0000003f0000-0x000000400000 : "radio"
TCP cubic registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
Freeing unused kernel memory: 132k freed
init started: BusyBox v1.19.4 (2019-12-13 16:44:46 CST)
starting pid 16, tty '': '/etc/rc.d/rcS'
This Board use 2.6.36.x
GMAC1_MAC_ADRH -- : 0x0000000c
GMAC1_MAC_ADRL -- : 0x43288082
Ralink APSoC Ethernet Driver Initilization. v3.1  256 rx/tx descriptors allocated, mtu = 1500!
GMAC1_MAC_ADRH -- : 0x0000000c
GMAC1_MAC_ADRL -- : 0x4328804a
PROC INIT OK!
Lan Domain: tplinkrepeater.net
Lan Domain: www.tplinkrepeater.net
Allow Domain: apple.com
tp_dhcp_hook: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
device eth2 entered promiscuous mode
====>>>>========================================

====>>>>1163198464

====>>>>Original SID is

====>>>>4-34
====>>>>5-35
====>>>>5-35
====>>>>5-35
====>>>>0-30
====>>>>0-30
====>>>>0-30
====>>>>0-30
====>>>>Original WIFIRegion is DE

====>>>>Changed WIFIRegion to DE

[ucEthernet_init:134]ERROR product_id= 08550400

====>>>>caldata: 76 28 DE AD 76 12 DE AD
====>>>>default mac is d8-0d-17-4a-2b-2e
====>>>>default mac is d8-0d-17-4a-2b-2e
[main:539]send a pipe message.

[daemonize:327]recv a pipe message.

====>>>>pub send to smartip status 101 to OK
wifid[_set_prelink_parameter:2801]: l_mtk.doing_pre_link status : 0

[smartip_get_wifi_update_eth_bridge_status 580] open /tmp/wifi_update_eth_and_bridge file failed


httpMudCreate: MUD 0x4ae6e0 was Raeth v3.1 (created
Tasklet)

phy_tx_ring = 0x00c83000, tx_ring = 0xa0c83000

phy_rx_ring0 = 0x00c84000, rx_ring0 = 0xa0c84000
---@@@@@@driver rt305x_esw_init 0x64 value:0x5540554
---@@@@@@driver rt305x_esw_init 0x64 value:0x5540554
Gpio Mode Value: 570444c4
Gpio Mode Value: 570444c4
GMAC1_MAC_ADRH -- : 0x0000d80d
GMAC1_MAC_ADRL -- : 0x174a2b2e
RT305x_ESW: Link Status Changed
httpServerCreate: try to add port 80
starting pid 108, tty '': '/sbin/getty ttyS1 57600'
br0: port 1(eth2) entering forwarding state
br0: port 1(eth2) entering forwarding state

TL-WA855RE login: MT7628-->

=== pAd = c0536000, size = 1409792 ===

<-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x
<-- RTMPAllocAdapterBlock, Status=0
MT7628-->RtmpChipOpsHook(492): Not support for HIF_MT yet!
MT7628-->mt7628_init()-->
MT7628-->mt7628_init(FW(8a00), HW(8a01), CHIPID(7628))
MT7628-->e2.bin mt7628_init(1135)::(2), pChipCap->fw_len(63888)
MT7628-->mt_bcn_buf_init(218): Not support for HIF_MT yet!
MT7628--><--mt7628_init()
s3MT7628-->TX_BCN DESC a195b000 size = 320
MT7628-->RX[0] DESC a195d000 size = 4096
MT7628-->RX[1] DESC a1960000 size = 1024
MT7628-->E2pAccessMode=2
MT7628-->CountryCode=DE
MT7628-->cfg_mode=9
MT7628-->cfg_mode=9
MT7628-->wmode_band_equal(): Band Equal!
MT7628-->AndesSendCmdMsg: Could not send in band command due to diable fRTMP_ADAPTER_MCU_SEND_IN_BAND_CMD
MT7628-->APSDCapable[0]=1
MT7628-->APSDCapable[1]=1
MT7628-->APSDCapable[2]=1
MT7628-->APSDCapable[3]=1
MT7628-->APSDCapable[4]=1
MT7628-->APSDCapable[5]=1
MT7628-->APSDCapable[6]=1
MT7628-->APSDCapable[7]=1
MT7628-->APSDCapable[8]=1
MT7628-->APSDCapable[9]=1
MT7628-->APSDCapable[10]=1
MT7628-->APSDCapable[11]=1
MT7628-->APSDCapable[12]=1
MT7628-->APSDCapable[13]=1
MT7628-->APSDCapable[14]=1
MT7628-->APSDCapable[15]=1
MT7628-->default ApCliAPSDCapable[0]=1
MT7628-->Key1Str is Invalid key length(0) or Type(0)
MT7628-->Key2Str is Invalid key length(0) or Type(0)
MT7628-->Key3Str is Invalid key length(0) or Type(0)
MT7628-->Key4Str is Invalid key length(0) or Type(0)
MT7628-->Smart Carrier Sense = 1
MT7628-->RTMPSetSingleSKUParameters - the country region is 5.
MT7628-->RTMPSetSingleSKUParameters - country code is DE .
MT7628-->RTMPSetSingleSKUParameters - the country DFSType is 0.
MT7628-->Loading SKU file: /etc_ro/Wireless/RT2860/SingleSKU_2G_CE.dat
MT7628-->load fw image from fw_header_image
MT7628-->AndesMTLoadFwMethod1(2182)::pChipCap->fw_len(63888)
MT7628-->FW Version:MT7628-->2MT7628-->0MT7628-->1MT7628-->5MT7628-->1MT7628-->2MT7628-->0MT7628-->1MT7628-->MT7628-->MT7628-->
MT7628-->FW Build Date:MT7628-->2MT7628-->0MT7628-->1MT7628-->5MT7628-->1MT7628-->2MT7628-->0MT7628-->1MT7628-->1MT7628-->8MT7628-->3MT7628-->6MT7628-->4MT7628-->1MT7628-->MT7628-->
MT7628-->CmdAddressLenReq:(ret = 0)
MT7628-->CmdFwStartReq: override = 1, address = 1048576
MT7628-->CmdStartDLRsp: WiFI FW Download Success
MT7628-->MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
efuse_probe: efuse = 10000012
MT7628-->RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
MT7628-->RtmpEepromGetDefault::e2p_dafault=2
MT7628-->RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
MT7628-->NVM is FLASH mode
MT7628-->1. Phy Mode = 14
[04010C0E][04010C0F]
DDR Calibration DQS reg = 00008887

Bdinfo

bdinfo
boot_params = 0x81F2BFB0
memstart    = 0x80000000
memsize     = 0x02000000
flashstart  = 0x00000000
flashsize   = 0x00400000
flashoffset = 0x00000000
ethaddr     = 00:00:AA:BB:CC:DD
ip_addr     = 192.168.0.254
baudrate    = 57600 bps

Printenv

 printenv
bootcmd=tftp
bootdelay=1
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=192.168.0.254
serverip=192.168.0.184
stdin=serial
stdout=serial
stderr=serial

Commands available at command line

help
?       - alias for 'help'
base    - print or set address offset
bdinfo  - print Board Info structure
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
erase   - erase SPI FLASH memory
go      - start application at address 'addr'
help    - print online help
iminfo  - print header information for application image
loop    - infinite loop on address range
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
nm      - memory modify (constant address)
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sleep   - delay execution for some time
spi     - spi command
tftpboot- boot image via network using TFTP protocol
version - print monitor version

@erew, welcome to the community!

Then I have no clue how anyone here could help you. Also, if your device isn't listed, the problem is most likely that you're not using a firmware for your device (by your own admission). Lastly, if you merely booted the firmware, your OEM firmware should have remained intact.

That's what we would need from you. :slightly_frowning_face:

There are threads on how to find this information - in the For Developers section.

This is almost a nonstarter for OpenWrt running on devices - moving forward in the future.

I hope this helps.

Thanks for the reply!!

Yeah, I thought Id take a shot with the hardware as its useless to me with the firmware it has on it.. all I actually wanted was it to have a decent DHCP server on one of the wifi links, so only needed a minimal build anyway, hence the 32MB wasnt much of an issue for me, though I appreciate that Openwrt is currently on limited support for 32MB and under.

I did have the belief as you state, that it should have remained in a working condition with the manufactures firmware on it, after all I did was the "Load system code to SDRAM via TFTP" in the initial.... though thats the mysteries of computers

When I said Im technical, I meant I have 24+ years working in the IT industry, so quite technically savvy over that time, but I havnt played around with the deep inner workings of Uboot and I dont like it when people give unclear instructions... it makes it difficult for the reader and anyone in future whom is trying to learn and get into a new technical field.

As for anyone giving any help, I thought it possible that someone may have a pointer e.g. hexdump the memory, find the start address where the uploaded binary is located, confirm its a byte for byte match for the bin file and confirm its booting from the correct memory address.

If anyone in future does want to take a shot at it, Im happy to have a go as this unit is dead hardware to me either way, with or without the manufacturers firmware on it.

Thanks

  • And I was saying that...you would have that information, as you're starting at your uboot via serial, correct?
  • Are you asking for a Uboot manual to type the correct commands?
  • Are you asking for the command (for e.g. locate start addresses)???
    • it's printenv
  • Are you saying you accidentally wiped it?

I'm really lost at how you're at the machine; but asking us for "pointers" that only you'd would possibly know at this time, especially given you're asking in regards to an unsupported device.

:confused:

EDIT:

Fair enough!

Thanks for the links, Ill take a look!

1 Like

Just for test. Try this image:


It's initramfs image for starting from memory. To run exec (after renaming to firmware.bin)

tftpboot 80000000 firmware.bin
go 80000000
2 Likes

@123serge123 Great!!! That seems to be booting!!! Thanks so much. Ill have a look, see how far I can get with it and let you know if all works fine!!

Again, thanks so much!!

It should be noted that this image is used for tests and backups of original flash content. After reboot you get original firmware again. Creation of fullfunctional openwrt image may be difficult because of small flash chip (SPI NOR GD25Q32B 4096 Kbytes)

@123serge123 Thanks so much! That gives me a route to look down and play around to see what I can get working or not!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.