TL-WA850RE V2 in particular but I'd imagine they all use the same location in one of the mtds. It doesn't appear to be in uboot because it shows "ba:be:fa:ce:08:41" which seems to be generic with at least new TP-Link. I was thinking it may be in the "art" mtd but cant find the location. Some help on how to search the mtds would be appreciated. TIA

Almost all TP-Link routers share same FLASH layout. MAC is stored at 0x1FC00 offset, inside second 64 KB sector.

Thanks pepe2k. I'm trying to read it using a method on the 1043nd openwrt page https://wiki.openwrt.org/toh/tp-link/tl-wr1043nd

cp /dev/mtd0ro /tmp/uboot.org
hexdump -n 6 -s 130048 -e '"%06.6_ax " 5/1 "%02X:" 1/1 "%02X""\n"' /tmp/uboot.org

But I get

Does that look like the correct way to find it?

You can do directly a hexdump of whole partition and search the mac with grep.

hexdump -C /dev/mtd0ro

Thanks I'll take a look

Unfortunately nothing found in any of the mtd devices.  It's a new WA850RE V2 model and the U-boot is U-Boot 1.1.4 (Dec 23 2015 - 17:10:56) so maybe TP-Link are trying to hide it from us. I grepped through every mtd with zero hits.
I cracked this thing open with hammer taps and I doubt it will ever be used for anything other than research so I don't feel I need to hide the mac address.
mac="18-a6-f7-30-05-a3"

root@OpenWrt:~# hexdump -C /dev/mtd0ro | grep '18 a6 f7'
root@OpenWrt:~# hexdump -C /dev/mtd1ro | grep '18 a6 f7'
root@OpenWrt:~# hexdump -C /dev/mtd2ro | grep '18 a6 f7'
root@OpenWrt:~# hexdump -C /dev/mtd3ro | grep '18 a6 f7'
root@OpenWrt:~# hexdump -C /dev/mtd4ro | grep '18 a6 f7'
root@OpenWrt:~# hexdump -C /dev/mtd5ro | grep '18 a6 f7'

I'll link the output of "hexdump -C /dev/mtd1ro" in case anyone has any ideas. https://www.dropbox.com/s/gtczgdhpd8izfit/mtd0.txt?dl=0

It looks like your second 64 KB sector is empty/erased. Is it a brand new device or did you buy some used one?

AFAIK, v2 is based on QCA9533, so I don't expect that TP-Link changes approach and moved MAC address somewhere else (ex. to art).

Can you share binary images of the u-boot and art mtd partitions?
You can make a copy with:

cat /dev/mtdX > /tmp/X.bin

It's brand new but I've flashed it with openwrt. I assume the uboot mtd doesn't get overwritten when installing openwrt only the kernel and rootfs. I've ordered another one which should get here tomorrow which I was going to crack open and see if the uboot had a mac before flashing with openwrt.  I'll upload the 2 files in a minute if you still want them.

https://www.dropbox.com/s/1srtmypwbyc749o/mtd04.zip Both in there zipped up. Thanks

And that's true if you flash the firmware using GUI.

U-Boot from TP-Link (and most U-Boot versions for QC/A WiSoCs, based on the code from QC/A SDK) doesn't use/read MAC stored in FLASH (the individual/unique one), only "fake"/hard-coded one.

Yep, your MAC address, model/HWID are missing. Second sector looks like it was erased. Does the WiFi works at all? What MAC address/es do you see in OpenWrt?

Thanks. I had to add the mac to the wifi and lan interface to get the wifi working. Thats why I started this thread because I couldn't find it anywhere. Here's the thread where I have the two bootlogs. https://forum.openwrt.org/viewtopic.php?id=67530

If you have serial console access and provide me MAC and WPS pin (if exists) from the label, I will write you exact commands how to fix it in U-Boot command line.

Thanks that's awesome. There's no pin but the mac is "18-a6-f7-30-05-a3". I think you're correct I wiped it when using the serial to flash it. I've a got another one here now waiting for the hammer to crack it open to verify. I've tried to compile an image to web install it on the new one but keep getting checksum errors. I've successfully done this with other routers so I'll probably persist with that to save wrecking another one.