TP-Link vr2600 restore stock firmware - Help needed

Hi, I have an old vr2600 VDSL modem router running OpenWrt but I'm aware there is currently no instructions for restoring stock TP-link firmware to this device.

VR2600 OpenWrt device page

The TP recovery .bin file is 19.5MB which is larger than the 16MB flash on the device !

Filename: Archer_VR2600v1_1.4.0_0.8.0_up_boot(160518)_2016-05-18_14.20.31.bin
TP-Link VR2600 stock firmware (19.5MB)

Flash layout from similar VR2600v.
The original OpenWrt install instructions overwrites the kernel and rootfs.

0x000000000000-0x000000020000	“SBL1”
0x000000020000-0x000000040000	“MIBIB”
0x000000040000-0x000000080000	“SBL2”
0x000000080000-0x000000100000	“SBL3”
0x000000100000-0x000000110000	“DDRCONFIG”
0x000000110000-0x000000120000	“SSD”
0x000000120000-0x0000001a0000	“TZ”
0x0000001a0000-0x000000220000	“RPM”
0x000000220000-0x0000002a0000	“APPSBL”
0x0000002a0000-0x0000002e0000	“APPSBLENV”
0x0000002e0000-0x000000320000	“OLDART”

0x000000320000-0x000000520000	“kernel”
0x000000520000-0x000000f80000	“rootfs”

0x000000faf100-0x00000faf0200	“default-mac”
0x000000fc0000-0x000001000000	“ART”

The kernel and rootfs is about 12MB in size. (size: F80000-320000 = C60000)

I ran binwalk on the stock TP-Link firmware image and it reported:

user@ubuntu:~/Downloads$ binwalk vr2600.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
512           0x200           Qualcomm SBL1, image addr: 2a000000, image size: 46448, code size: 46448, sig size: 0, cert chain size: 0, oem_root_cert_sel: 1, oem_num_root_certs: 1
42384         0xA590          Unix path: /home/blake/work/sblcodes/ipq8064-ilq-1-3_qca_internal_integrationandtest-src-boot/boot_images/core/boot/secboot3/hw/msm8960/sbl
132864        0x20700         ATAGs msm parition table (msmptbl), version: 3, number of paritions: 13
198400        0x30700         ATAGs msm parition table (msmptbl), version: 3, number of paritions: 13
349884        0x556BC         Unix path: /home/blake/work/sblcodes/ipq8064-ilq-1-3_qca_internal_integrationandtest-src-boot/boot_images/core/boot/secboot3/hw/msm8960/sbl
650988        0x9EEEC         CRC32 polynomial table, little endian
652092        0x9F33C         Unix path: /home/blake/work/sblcodes/ipq8064-ilq-1-3_qca_internal_integrationandtest-src-boot/boot_images/core/boot/secboot3/hw/msm8960/sbl
1318332       0x141DBC        Base64 standard index table
2501653       0x262C15        Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
2501769       0x262C89        Certificate in DER format (x509 v3), header length: 4, sequence length: 1288
2550416       0x26EA90        CRC32 polynomial table, little endian
2552704       0x26F380        CRC32 polynomial table, little endian

3277824       0x320400        uImage header, header size: 64 bytes, header CRC: 0x13AD667F, created: 2016-05-18 03:29:43, image size: 1884144 bytes, Data Address: 0x41508000, Entry Point: 0x41508000, data CRC: 0x668B4A1D, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.103"
3277888       0x320440        Linux kernel ARM boot executable zImage (little-endian)
3291823       0x323AAF        xz compressed data
3292044       0x323B8C        xz compressed data
5374464       0x520200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8917748 bytes, 779 inodes, blocksize: 262144 bytes, created: 2016-05-18 06:09:16

16253440      0xF80200        TP-Link firmware header, firmware version: 0.-1456.0, image version: "", product ID: 0x0, product version: -1047527423, kernel load address: 0x0, kernel entry point: 0x80010000, kernel offset: 4230193, kernel length: 0, rootfs offset: 1339432, rootfs length: 0, bootloader offset: 2883584, bootloader length: 0
16253952      0xF80400        Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "63168TP", ~CRC32 header checksum: 0x1C88C51, ~CRC32 data checksum: 0xE47CFBBF
16268708      0xF83DA4        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 250496 bytes
16318288      0xF8FF50        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2824788 bytes, 497 inodes, blocksize: 131072 bytes, created: 2016-05-18 02:22:07
19144540      0x1241F5C       LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 3953632 bytes

Can anyone advise whether it is as simple as extracting the ARM section between 0x320400 and 0xF80200 (size: 0xF80200-0x320400 = C5 FE00 which is less than C60000) from the original TP-Link firmware and writing it to the flash using original OpenWrt serial installation method?

The Broadcom stuff starting at 0xF80200 is under 3MB in size and I can only guess it is written to another area of the same flash chip, which I presume was never overwritten by the original OpenWrt install.

Any suggestions and help welcome.

Disclaimer: I don't know this device and explicitly won't provide advice (as the consequences would be pretty risky), but…

I would assume that you only need 0x320400-0xF80199, as that seems to be kernel + rootfs; OpenWrt shouldn't have ever touched SBL1 and all the bootloader stuff. 0xF80200 and upwards seems to be just the (Broadcom-) VDSL stuff (which has its own SOC, flash & RAM, that is the reason why the firmware updates are larger than 16 MB, for the second Broadcom flash), you can update that later on, by flashing the OEM firmware from the running OEM again.

Again, I do not know this device and have not checked any details about it beyond the information you provided, this is risky and should be cross-checked and verified multiple times, before attempting to flash anything, do this only at your own risk.

I presume provided I don't accidentally overwrite any memory space outside of the range 0x320400-0xF80199, then in theory I should be able to use Serial to reinstate previous working OpenWrt if I brick it....

I also used the hex editor to examine the original OEM .bin file.

Correction. Kernel begins at 0x320200 in the file. NOT at 0x320400 shown below and suggested by binwalk.

0armstart1091×485 130 KB

The addresses around 0x320400+0x200000 = 0x520400, where it supposedly transitions between the kernel and rootfs looks like gibberish with no clear demarcation. hmm...

At 0x520400 (corresponds to 0x520000 in flash layout)

0gibberish1126×436 131 KB

If I page up a bit (512 bytes?) to:
0x520200 in the recovery file. This is the start of the rootfs.

gibberish21099×497 147 KB

Did you search the web (not only OpenWrt resources) if this device has a functioning push-button tftp recovery? TP-Link usually has a tftpd running in the bootloader, but they've changed the details over half a dozen times in the last 5 years...

According to OpenWrt wiki, there is no push button tftp recovery for the vr2600 (with 2016 oem fw which is what was installed on this router prior to OpenWrt). Push button recovery was only added to the later vr2600v (oem firmware 2017 onwards). No luck searching elsewhere.

I've found a flash dump from vr2600v posted by @robimarko posted back in 2020.
https://forum.openwrt.org/t/need-full-dump-tp-link-archer-vr2600-installation/48081/23

Comparing the vr2600v flash dump to the vr2600v recovery image, it appears the kernel actually begins at 0x320200 within the OEM firmware recovery file, and not at 0x320400 as suggested by binwalk.

I compared the flash dump to the recovery image, Archer_VR2600vv1_1.4.0_0.8.0_up_boot(170628)_2017-06-28_16.03.13.bin

The kernel+rootfs areas appear identical at first glance. However, the flash dump includes additional code in the kernel.

0unknown1103×729 211 KB

I don't know where this code came from and as it is in the kernel area, I guess it is created by an unidentified routine when the firmware is written to the flash.

I used a hex editor and extracted the kernel and rootfs from the TP-Link OEM firmware which I knew was originally installed on this VR2600 v1, prior to OpenWrt.

OEM FW filename: Archer_VR2600v1_1.4.0_0.8.0_up_boot(160518)_2016-05-18_14.20.31.bin

start address: 0x320200
end address: 0xF801FF
size:  0xC60000

Then flashed the file to the VR2600 by following the OpenWrt instructions.

Upon restarting the VR2600. Success !

eureka_11295×740 46.8 KB

Briefly tested wifi and internet access in normal wireless router mode. I don't have xDSL service so cannot test it at this time.

Then used the TP-Link GUI to reinstall the full OEM firmware.

Will test the VR2600.

Wifi and USB file sharing working.

vr2600 OpenWrt device page updated

Update: I can confirm VDSL/FTTC is working.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.