Understanding/flashing TP-LINK stock firmware from non-stock firmware (and vice versa)

hi all,

so i have a few questions about TP-LINK's firmware flashing process. it is very unusual compared to the mt7621 flashing i'm used to.

in particular, how does the tp-link safeloader program work? i know it's required to "wrap" the non-stock firmware and have the TP-LINK stock firmware flash it, but is there any more information on how exactly TP-LINK writes this firmware?

surely openwrt must have some documentation on how exactly a non-stock firmware must be prepared so that the output from safeloader will be written correctly by the stock firmware.

i have a question about the opposite process, as-well. if i have a TP-LINK totalimage and i want to revert to stock, is there an easy way to write this image in the kernel?

i wish the lantiq bootloader had an RALINK-like recovery mode, but it does not (yet, at least). as such, i need to see if there's an easy way to write the full tp-link stock image from within a foreign linux kernel.

TP-Link has changed their firmware format (and with that the details that matter) a lot of times over the last decade - and even more often recently. You really need to be specific about the exact device here.

--
Disclaimer: my last TP-Link so far was the TL-WDR4300, before they started these shenanigans, do I won't be able to help you with this anyways, as my experience is outdated.

it's the ax50 (a lantiq device).

if it helps i have a lot of details about the flash layout and stuff:

first, they do some weird partitioning on the (stock firmware):

partition 01: name = factory-boot    , base = 0x00000000, size = 0x00040000 Bytes, usedFlag = 0
partition 02: name = fs-uboot        , base = 0x00040000, size = 0x00040000 Bytes, usedFlag = 0
partition 03: name = os-image        , base = 0x00080000, size = 0x00200000 Bytes, usedFlag = 0
partition 04: name = file-system     , base = 0x00280000, size = 0x00c00000 Bytes, usedFlag = 0
partition 05: name = default-mac     , base = 0x00e80000, size = 0x00000200 Bytes, usedFlag = 0
partition 06: name = pin             , base = 0x00e80200, size = 0x00000100 Bytes, usedFlag = 0
partition 07: name = device-id       , base = 0x00e80300, size = 0x00000100 Bytes, usedFlag = 0
partition 08: name = product-info    , base = 0x00e80400, size = 0x0000fc00 Bytes, usedFlag = 0
partition 09: name = partition-table , base = 0x00e90000, size = 0x00010000 Bytes, usedFlag = 0
partition 10: name = soft-version    , base = 0x00ea0000, size = 0x00010000 Bytes, usedFlag = 0
partition 11: name = support-list    , base = 0x00eb0000, size = 0x00010000 Bytes, usedFlag = 0
partition 12: name = profile         , base = 0x00ec0000, size = 0x00010000 Bytes, usedFlag = 0
partition 13: name = default-config  , base = 0x00ed0000, size = 0x00010000 Bytes, usedFlag = 0
partition 14: name = ap-def-config   , base = 0x00ee0000, size = 0x00010000 Bytes, usedFlag = 0
partition 15: name = user-config     , base = 0x00ef0000, size = 0x00010000 Bytes, usedFlag = 0
partition 16: name = ap-config       , base = 0x00f00000, size = 0x00010000 Bytes, usedFlag = 0
partition 17: name = router-config   , base = 0x00f10000, size = 0x00010000 Bytes, usedFlag = 0
partition 18: name = tm-sig          , base = 0x00f20000, size = 0x00040000 Bytes, usedFlag = 0
partition 19: name = certificate     , base = 0x00f60000, size = 0x00010000 Bytes, usedFlag = 0
partition 20: name = extra-para      , base = 0x00f80000, size = 0x00004000 Bytes, usedFlag = 0
partition 21: name = log             , base = 0x00fc0000, size = 0x00020000 Bytes, usedFlag = 0

i shouldn't have a problem extracting what i need prior to flashing the foreign firmware, but really the bigger question is if there's an easy way to flash a stock firmware from a non-stock firmware without a recovery mode.

i wish i could just blindly write this thing to the mtd.

have you guys found any TP-LINK GPL release that provides access to their "nvram" program? i am more curious about how safeloader works. i am hoping you can point me to something, anything! @slh