Hey there.
After beautifully bricking my router, I got a chip adapter and flashed via my Raspberry Pi, only to see Unable to mount root message, managed to flash LEDE/OpenWRT through TFTP, tried to update to stock using one of the firmwares provided in the forums and saw the same error.
Quick disclaimer that the router is locked to a Wind Hellas.
post the error message / console log.
------------------
Archer C2 v1.0.0
------------------
spi_wait_nsec: 29
spi device id: c8 40 17 c8 40 (4017c840)
find flash: GD25Q64C
============================================
Ralink UBoot Version: 4.1.2.0
--------------------------------------------
ASIC 7620_MP (Port5<->GigaSW)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Aug 31 2015 Time:16:32:16
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 580 MHZ ####
estimate memory size =64 Mbytes
continue to starting system. 0
disableEthForward(1158):disable switch forward...
3: System Boot system code via Flash.(0xbc020000)
do_bootm:argc=2, addr=0xbc020000
## Booting image at bc020000 ...
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8000c150) ...
## Giving linux memsize in MB, 64
Starting kernel ...
ζββββffβfaβfβββfβΓβββζβζββ3`fββfaββfaβfβββζβLinux version 2.6.36 (jenkins@dev-server) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #139 Mon Jan 18 13:50:36 CST 2016
The CPU feqenuce set to 580 MHz
MIPS CPU sleep mode enabled.
PCIE: bypass PCIe DLL.
PCIE: Elastic buffer control: Addr:0x68 -> 0xB4
disable all power about PCIe
CPU revision is: 00019650 (MIPS 24Kc)
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
Normal 0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS1,115200 root=/dev/mtdblock2 rootfstype=squashfs init=/sbin/init
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=00057300
Readback ErrCtl register=00057300
Memory: 61188k/65536k available (2854k kernel code, 4348k reserved, 593k data, 164k init, 0k highmem)
NR_IRQS:128
MTK/Ralink System Tick Counter init... cd:8034bf68, m:214748, s:32
console [ttyS1] enabled
Calibrating delay loop... 386.04 BogoMIPS (lpj=772096)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
RALINK_GPIOMODE = 5ab11d
RALINK_GPIOMODE = 58b11d
PPLL_CFG1=0xe60000
MT7620 PPLL lock
PPLL_DRV =0x80080504
start PCIe register access
RALINK_PCI_PCICFG_ADDR = 1000f0
*************** MT7620 PCIe RC mode *************
bio: create slab <bio-0> at 0
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x201fffff]
pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
pci 0000:00:00.0: BAR 1: set to [mem 0x20200000-0x2020ffff] (PCI address [0x20200000-0x2020ffff]
pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff]
pci 0000:01:00.0: BAR 0: set to [mem 0x20000000-0x200fffff] (PCI address [0x20000000-0x200fffff]
pci 0000:01:00.1: BAR 0: assigned [mem 0x20100000-0x201fffff]
pci 0000:01:00.1: BAR 0: set to [mem 0x20100000-0x201fffff] (PCI address [0x20100000-0x201fffff]
pci 0000:00:00.0: PCI bridge to [bus 01-01]
pci 0000:00:00.0: bridge window [io disabled]
pci 0000:00:00.0: bridge window [mem 0x20000000-0x201fffff]
pci 0000:00:00.0: bridge window [mem pref disabled]
BAR0 at slot 0 = 0
bus=0x0, slot = 0x0
res[0]->start = 0
res[0]->end = 0
res[1]->start = 20200000
res[1]->end = 2020ffff
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
bus=0x1, slot = 0x0
res[0]->start = 20000000
res[0]->end = 200fffff
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
bus=0x1, slot = 0x0
res[0]->start = 20100000
res[0]->end = 201fffff
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
Switching to clocksource Ralink external timer
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
RT3xxx EHCI/OHCI init.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
fuse init (API version 7.15)
msgmni has been set to 119
io scheduler noop registered
io scheduler deadline registered (default)
Ralink gpio driver initialized
Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
serial8250: ttyS0 at MMIO 0x10000500 (irq = 37) is a 16550A
serial8250: ttyS1 at MMIO 0x10000c00 (irq = 12) is a 16550A
loop: module loaded
deice id : c8 40 17 c8 40 (4017c840)
Warning: un-recognized chip ID, please update SPI driver!
AT25DF321(1f 47000000) (4096 Kbytes)
mtd .name = raspi, .size = 0x00400000 (0M) .erasesize = 0x00000004 (0K) .numeraseregions = 65536
Creating 6 MTD partitions on "raspi":
0x000000000000-0x000000020000 : "boot"
0x000000020000-0x000000160000 : "kernel"
0x000000160000-0x0000007d0000 : "rootfs"
mtd: partition "rootfs" extends beyond the end of device "raspi" -- size truncated to 0x2a0000
mtd: partition "rootfs" set to be root filesystem
0x0000007d0000-0x0000007e0000 : "romfile"
mtd: partition "romfile" is out of reach -- disabled
0x0000007e0000-0x0000007f0000 : "config"
mtd: partition "config" is out of reach -- disabled
0x0000007f0000-0x000000800000 : "radio"
mtd: partition "radio" is out of reach -- disabled
Register flash device:flash0
PPP generic driver version 2.4.2
NET: Registered protocol family 24
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
Mirror/redirect action on
u32 classifier
Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (2868 buckets, 11472 max)
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Linux
TCP cubic registered
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
List of all partitions:
1f00 128 mtdblock0 (driver?)
1f01 1280 mtdblock1 (driver?)
1f02 2688 mtdblock2 (driver?)
No filesystem could mount root, tried: squashfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,2)
I'd probably try to install the stock MR200 fw 1st, then redo the openwrt install
You didn't understand me properly. The same issue occurs when I try to install the stock firmware.
ah, indeed.
my bad, try Re-Stocking TP-link MR200 archer
Let me take a look and update you!
So if I understand correctly I need the bootloader made for my carrier? Any way to circumvent it? I tried fully wiping the chip and flashing stock TP-Link bootloader + firmware + config.
Probably not, carrier uboot could check if the fw is signed, which is something you probably don't want.
But the uboot env might differ between carrier and stock uboot.
Fw itself might also expect different uboot settings, depending on version.
config is what exactly? ART partition? uboot env?
Nevermind the config part, let me clarify.
I found a random dump of an MR200 V2, loaded with modified MAC, surprisingly worked and loaded, same for an Archer C20, but the last one of course doesn't feature a SIM card but does work as a standard router.
I am able to install OpenWRT from those, after installing and opening the Modem console, I tried tinkering with it and understood that the modem itself is locked, couldn't find any settings about unlocking it, checked via ADB as well, couldn't find any firewalls that could prevent any other SIM card than from Wind to establish possible connection.
I then used TFTP to flash an update package from TP-Link with stripped headers (~35MB), after which the router came back to the Kernel Panic with VFS not sync, unable to mount root blah blah blah. I am wondering if flashing that package via TFTP could have also updated the modem, if yes, then it's possibly unlocked now, saying this because when reading the unbricking guide, there was a part mentioning that I need to run a firmware update from the web console to also unlock the modem.
Since it's late night I am not able to reconnect the router to my Raspberry Pi to recover it to a working dump to then update to OpenWRT again to then access the Modem console and then check if the version has changed at all.
My main question is the following:
How the hell even after wiping the flash chip completely and reflashing the stock bootloader with its firmware, it still doesn't boot. I have read that these locked routers always require the carrier specific bootloader, what tells the bootloader where the rootfs is, and where is it? Since if we look carefully, the log says that it can't mount root.
No filesystem could mount root, tried: squashfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,2)
This is a whole god damn Sherlock stuff.
it probably would, if you added the extra packages.
this should be a list of the packages you need https://firmware-selector.openwrt.org/?version=21.02.3&target=ramips%2Fmt7620&id=tplink_archer-mr200
the modem will be on a different subnet than the router.
and the web console, would probably be the modems web console, not openwrts.
like i said, uboot env, would be one possibility, flash layout another ...
but if you had a full flashdump, one would expect it to boot, yes.
when you had the C20 fw running, did you try to (re)flash it with a mr200 openwrt image ?
I know, I have accessed the console, moreover it allows to push an update to the modem, I tried the one with the same specs, being the TP-Link MiFi 7350, but it just said Update Corrupted or Invalid. The firmwares for MR200 listed in TP-Link website are 35-50mb, and they have the modem firmware in them, flashing it would unlock the bootloader, but to flash that firmware update I need to have stock firmware so it would update the modem too. Stripping the header and flashing via TFTP gave me the same error.
Yes and it works, moreover it is running MR200 OpenWRT right now.
My question is, how do I change the flash layout? I mean I literally flash a full dump from another TP-LINK MR200 V1 and it doesn't work, but the V2 does.
sooooo .... issue solved ?
Not... really. Since the modem is still locked, and I still can't flash stock firmware, check my previous reply again, I just edited it.
so this whole exercise is really about unlocking the modem, not going back to stock ?
Unlock + Would be good if stock. Sorry I didn't clarify it earlier, I was really focused about that Unable to mount root issue.
Update! Tried an orange branded firmware, flashed via TFTP recovery with no headers, the bootloader successfully mounted root, I can try making a mix of stock + that bootloader.
Moreover, the firmware allows me to enter SIMLOCK code.
Update 2: The stocked firmware with Orange bootloader didn't work.
So now let's forget that firmware stuff, since we can at least use OpenWRT.
Now the question is, how to unlock the modem?
Not really surprising, and I don't see the point of using the locked down boot loader from Orange.
the wiki page says
The last step was flashing from the stock interface the latest firmware version from TP-Link which also unlocked the LTE modem.
did you try it ?
To do that, I needed to have the stock UI working, however I figured it out.
I used the M7350 MiFi firmware as a scheme example to understand how the firmware scheme looks like, downloaded the MR200 Firmware and extracted the modem firmware, since OpenWRT allows logging in to the Modem Console (192.168.225.1), I have went to the Device Settings and have done a Firmware Update, which unlocked the modem.
Now just need to install a TP-LINK MR200 firmware back to be able to properly use the modem and we should be good to go.
Full Guide
https://forum.openwrt.org/t/guide-on-unlocking-tp-link-archer-mr200-from-your-carrier