Unbrick RE450 v1

Hi all,
I tried to unbrick my TP-Link RE450 with an TTL USB with the method from Heinz in this post:

But it didn't work. Here is the output I am getting from putty

U-Boot 1.1.4 (Dec 15 2017 - 15:14:35)

ap135 - Scorpion 1.0

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 134k for U-Boot at: 83fdc000
Reserving 192k for malloc() at: 83fac000
Reserving 44 Bytes for Board Info at: 83fabfd4
Reserving 36 Bytes for Global Data at: 83fabfb0
Reserving 128k for boot params() at: 83f8bfb0
Stack Pointer at: 83f8bf98
Now running in RAM - U-Boot at: 83fdc000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x17
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
No valid address in Flash. Using fixed address
Scorpion  ----> AR8033 PHY *
AR8033 PHY init 
eth0: 00:03:7f:09:0b:ad
eth0 up
eth0
Setting 0x18116290 to 0x4890214f
Autobooting in 1 seconds
scorpion> setenv ipaddr 192.168.1.1

scorpion> setenv serverip 192.168.1.3

scorpion> tftp 0x80060000 re450bs.bin

Trying eth0
Checking Link: Up
Checking Duplex: Full
Checking Speed 100BaseT
dup 1 speed 100
Using eth0 device
TFTP from server 192.168.1.3; our IP address is 192.168.1.1
Filename 're450bs.bin'.
Load address: 0x80060000
Loading: *#################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 ##################################
done
Bytes transferred = 6160384 (5e0000 hex)
scorpion> erase 0x9f020000 +$filesize

Erase Flash from 0x9f020000 to 0x9f5fffff in Bank # 1 
First 0x2 last 0x5f sector size 0x10000
   2   3   4   5   6   7   8   9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95
Erased 94 sectors
scorpion> cp.b $fileaddr 0x9f020000 $filesize

Copy to Flash... write addr: 9f020000
done
scorpion> boot

## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 801930c0) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

Booting QCA955x
 
Œéîõø`öåòóéïî`rnvnsqmmŒ“„‹mynrnpŸ•unupx`hòïïô€ìïãáìèïóônìïãáìäïíáéîi@HÇÃÃ@öÅòóÉÏÎ@tNsNs@H‡ƒƒI@I@Cq@ÏÎ@õÇ@qp@quzsszpq@ˆ‹´@rpqu
æìáóèŸóéúå`ðáóóåä`æòïí`âïïôìïáäåò`}`qv
²ÁÍ@óÉúÅ@ðÁóóÅÄ@ÆòÏÍ@ÂÏÏôÌÏÁÄÅò@}vwqpxxvt
ƒ•`òåöéóéïî`éóz`pppqywup`h‰“`wt‹ãi
Ãðõ@ÁðÂ@ÄÄò@ÁðÂ@ÁôÈ¿óùó¿ÆòÅñõÅÎÃùz@Ãðõ@wrp@ÄÄò@vpp@ÁÈÂ@b00
„åôåòíéîåä`ðèùóéãáì`’`íáðz
@ÍÅÍÏòùz@ptpppppp@€@pppp`000 (õóáâìå)
šïîå`†Ž`òáîçåóz
@@ŽÏòÍÁÌ@@@pøpppppppp@M~@pø`0004000
ïöáâìå`úïîå`óôáòô`†Ž`æïò`åáãè`îïäå
ÅÁòÌù¿ÎÏÄÅ¿ÍáðÛ1Ý áãôéöå ÐÆÎ òáîçåó
````pz`pøpppppppp`m~`pøpppptppp
‚õéìô`q`úïîåìéóôó`éî`šïîå`ïòäåòl`íïâéìéôù`çòïõðéîç`ïîn``”ïôáÌ@ðÁÇÅóz@qvruv
Ëåòîåì ãïííáîä ìéîå: ãïîóïìå=ôôùÓ0,115200 òïïô}sqzr`òïïôæóôùðå}óñõáóèæó`éîéô}o

After this the Power LED is flashing really fast and the AP is reachable on 192.168.0.254 via ssh. But the password doesn't work. In Browser it is not reachable.
Maybe someone has a tip for me.

Thanks in advance!

What exactly did you flash?

Generally I'd get the model's initramfs image from the snapshots directory, tftp to 0x81000000 then boot it from RAM (bootm 0x81000000). Once that OpenWrt boots up, use it to sysupgrade a release image.

Using the bootloader directly to erase and write flash is risky that you can clobber the wrong block.

1 Like

The Problem is at first I tried to flash the Stock firmware and may be erased the memory???
Afterwards I did what Heinz explained in his post (link above). I also used the file provided re450_back_to_stock.bin

So I think i killed my AP :slight_smile:

Thanks for your help. I gave it a try to boot the snapshot firmware directly from RAM like you wrote. It's booting something (not readable in putty window). The Power is blinking really fast.
I have a ping on 192.168.0.254 but can not login with ssh. No credentials are accepted. I tried nearly everything.
Also Webinterface doesn't work.
I think I killed my device :frowning:
It's a Ver 1.0 (EU) by the way.

The initramfs firmware doesn't read any configurations from flash, so the IP address will be 192.168.1.1. And since it's a snapshot there is no web interface only SSH.

Ok, I can not get it back running. Don't know why. Everything works as you described but it only boots up hyroglyphs and is not reachable :frowning:

Can anyone give me another hint how to get this device back running?