URGENT: Trying to revert to original firmware, but Failed to erase block

I recently got the TP-LINK WR940N v4. I originally expected the v3, so I could use DD-WRT, but amazon sent me the v4 -_-. I ran into LEDE and was messing around with stuff, but eventually I wanted to revert back to the original firmware.

I used wget into the /tmp folder to get the OEM firmware, but as i did

mtd -r write /tmp/oemfirmware.bin firmware

I ended up with [e] Failed to erase block.

I still have the connection up, and I read somewhere online that restarting my router will end up bricking it, so I refrained from doing so.

I do want to say that at the login motd, I did get the following message:
Your JFFS2-partition seems full and overlayfs is mounted read-only.
Please try to remove files from /overlay/upper/... and reboot!

I am fairly new at most of this stuff, so providing simple instructions would be appreciated!

Nevermind! I solved this problem by deleting the first 257 bytes

dd if=originalFirmware.bin of=tplink.bin skip=257 bs=512

then used mtd again, and it somehow worked! YAY

5 Likes

What a life saver!!!

Thank you very much!! I got exactly the same problem, however, my router is a tp-link wrt841nd v10. Your solution worked like a charm!

Do you know why we have to delete these 257 bytes?

1 Like

It strips the uboot off it. Because firmwares like DD-WRT and OpenWRT expect a firmware that does not contain a bootloader. So the extra data from the bootloader would be written to where the firmware would be and it will not fit. So that's why you get ride of the first 257 bytes that contains the bootloader in those.

Actually it's removing 257 * 512 byte blocks, which is the 512 byte factory header and the 128kbyte uboot bootloader.

1 Like

binwalk is a great tool for figuring out header skipping on various image files... I run it on files almost as a reflex before flashing things (more so than any file checksum tests haha).

Edit: binwalked the latest one as an example... you can see your trimming point is at 131584 and is the next available "TP-Link firmware header". The earlier uImage must be some sort of defaults or migration scripts used by the built-in TP-Link upgrade tool(s) along with the overall firmware header... but you can use this method to find the proper skip/block to make a "naked" mtd flashable file in the future, and on other models (some might have 256KB u-boot or etc thus different offsets). It's basically a Hexeditor on autopilot (I used to know how to spot LZMA magics in hexeditors, like Where's Waldo, but this is way easier)

# binwalk wr940nv4_us_3_16_9_up_boot\\(160617\\).bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             TP-Link firmware header, firmware version: 0.-6309.3, image version: "", product ID: 0x0, product version: 155189252, kernel load address: 0x0, kernel entry point: 0x80002000, kernel offset: 4063744, kernel length: 512, rootfs offset: 865629, rootfs length: 1048576, bootloader offset: 2883584, bootloader length: 0
15552         0x3CC0          U-Boot version string, "U-Boot 1.1.4 (Jun 17 2016 - 16:14:48)"
15600         0x3CF0          CRC32 polynomial table, big endian
16900         0x4204          uImage header, header size: 64 bytes, header CRC: 0xDC5CE357, created: 2016-06-17 08:14:49, image size: 42775 bytes, Data Address: 0x80010000, Entry Point: 0x80010000, data CRC: 0x5C656922, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image"
16964         0x4244          LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 113496 bytes
131584        0x20200         TP-Link firmware header, firmware version: 0.0.3, image version: "", product ID: 0x0, product version: 155189252, kernel load address: 0x0, kernel entry point: 0x80002000, kernel offset: 3932160, kernel length: 512, rootfs offset: 865629, rootfs length: 1048576, bootloader offset: 2883584, bootloader length: 0
132096        0x20400         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2496188 bytes
1180160       0x120200        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2691712 bytes, 584 inodes, blocksize: 131072 bytes, created: 2016-06-17 08:23:55
1 Like

Thanks!!!!!!

Could you please explain how I calculate the: dd skip=(strip header) from this:

root@MacBookPro:/mnt/d/.wsl# binwalk Archer_C50v3_EU_0.9.1_0.5_up_boot\[170822-rel64885\].bin

DECIMAL HEXADECIMAL DESCRIPTION

--------------------------------------------------------------------------------

82288 0x14170 U-Boot version string, "U-Boot 1.1.3 (Aug 18 2017 - 09:57:27)"

132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3650664 bytes

1442304 0x160200 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5239848 bytes, 692 inodes, blocksize: 131072 bytes, created: 2017-08-22 10:01:28

Thank you

I just worked it out from your mention of trimming point:

so 132096 / 512 = 258

dd if=tp_link.bin of=tp_link_stripped.bin skip=258 bs=512

Yay! :nerd_face:

Hi bro!!!!
can you help me? I am new at this...
The same error happens to me with TL-WR740N v5.1
I managed to install the original Firmware (.bin) in / tmp folder with WinSCP, but from SSH with Putty it won't let me install. It gives the same error:

Thanks!

try to follow the steps but it won't let me update the version...


https://openwrt.org/es/docs/guide-user/installation/generic.uninstall

I´m sorry for my english :man_facepalming:

If you're confident the firmware is correct and you have done any required header stripping then you can do a forced install.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.