On a TL-MR3040 Ver2.1:

root@OpenWrt:/tmp# mtd -r write mr3040v2_en_3_14_4_up_boot\(121017\).bin firmware
Unlocking firmware ...

Writing from mr3040v2_en_3_14_4_up_boot(121017).bin to firmware ...  [e]Failed to erase block

Reboot and now power LED stays on and the other three LEDs all blink together continuously.  Can't get wired IP address and no wifi.  Any ideas on how to raise the apparent dead?  I was trying to go back to the stock firmware.

Thank you.

read wiki:

http://wiki.openwrt.org/toh/tp-link/tl- … l.firmware

only way to recover is attach a serial console.

http://wiki.openwrt.org/toh/tp-link/tl- … al.console

read also advices for serial console from other tplink models, they are all similar

Hi
I'm a bit confused because there are 2 different (though similar) models being discussed.

- The first link provided (for MR3020) says that mtd is an OK way to revert to factory firmware.
- But the MR3040 wiki page doesn't list mtd as an option - only says serial console for restoring factory.

So:

- Is mtd a valid way to go on the MR3040 v2.1?
- If mtd fails, should the serial console still work?   
    -- [If so, then I'm willing to test, so I otherwise need to get to a serial console eventually anyway

Thanks!

Adam

From what I see in the Wki the problem does not depend on the hardware or on mtd but on (not) using the right firmware version for the device.

The serial console will work for as long as your boot loader is still functioning. Since you (hopefully) did not write to the bootloader, I see no reason why the console should not work.
And if it does not, you are screwed anyways...

I was able to use mtd to load dd-wrt, and was able to go back to OpenWrt from dd-wrt via the same method (but they call the destination partition "linux")

BUT, I cannot load the stock firmware [mr3040v2_en_3_14_4_up_boot(121017).bin] via mtd.  When I try to do it from OpenWrt I get "Failed to erase block", and when I try to do it from dd-wrt I get "Erasing mtd failed: linux".  If I just do "mtd erase" then it works...

In these cases of failures, I don't get kicked out of SSH, so I'm able to get back to relative safety by re-loading OpenWrt

One thing I notice is that the OpenWrt and DD-WRT .bin's are exactly the same size (3,932,160 bytes) but the tp-link stock firmware is bigger (4,063,744 bytes).  The difference is 131,584 bytes which == 128.5KB.

When I read the mr3020 wiki which warns about only the older firmware file working, I see:
- The older file that works is the same size as the dd-wrt/openwrt files I mentioned above,
- The newer one that doesn't work on mr3020 is the same size as the larger mr3040, and has "boot" in the filename

I could have sworn I read somewhere to make sure your firmware did have "boot" in the filename, but now I can't find that reference.

Going to poke around with a hex editor and see if there's anything obvious occupying exactly 131,584 bytes in the "boot" files.

SUCCESS.

after some analysis with a hex editor, it becomes quite obvious that the .bin's which are 131,584 bytes larger have an extra* 131,584 bytes at the BEGINNING.  I chopped off those beginning bytes from mr3040v2_en_3_14_4_up_boot(121017).bin with a hex editor and was able to flash back to the stock firmware using mtd!

I repeat: mr3040 v2.1 flashed back to stock firmware with mtd - no need for serial console, just need to modify the .bin.   (This presumes you haven't already bricked your device - you need SSH access at minimum here)

I just deleted everything before 0x20200, which is easy to find because there's a large section of zero's right before the first byte you keep which is 0x01 followed shortly by "



TP-LINK".  I'm sure there's a clever way to chop off those bytes using DD, but I didn't bother.

Hope this is helpful to somebody else.  I'll try to update the relevant wikis too.

Adam

[*This extra bit says "U-boot" 3 times in it, and since the filename also says "boot", I guess it's a safe bet that those files include an update to the bootloader.   would be great if that new U-boot had a "boot wait" tftp in it...]

(Last edited by aberson on 28 Sep 2013, 02:29)

it's basically the same for every tplink

http://wiki.openwrt.org/toh/tp-link/tl- … l.firmware

there should be a place to write these info..

maybe here?

http://wiki.openwrt.org/toh/tp-link/start

Ah so you are correct.  I think it's smart to write it centrally, but also must at least be linked from each router's wiki page, because I never came across the tp-link start page in my searches - I got right to the mr3040 page via google.  But I'm new around here...

Here's how I'd write it:

The router's firmware must be 3,932,160 bytes to flash via mtd.  If you download firmware from tp-link which is 4,063,744 bytes then this 128.5KB larger firmware also has the boot firmware in it (usually says "boot" in the filename).  Historically this has been located at the beginning of the file*, but theoretically that could change.  (*You can confirm this by opening in a hex editor and scrolling down to address 0x20200.  Just prior to that location you should see a large block of 00's.  At 0x20200 you should have a "01" followed by a few 00's and then "TP-LINK")

The first 128.5KB can be removed with this command (after getting the firmware into /tmp via scp or wget):  "dd if=original_filename.bin of=modified_filename.bin skip=257 bs=512".  Following this, the file is the correct size (3,932,160 bytes) and can be flashed with "mtd -r write /tmp/filename.bin firmware".

When flashing with mtd, if you receive an error such as "failed to erase block", then DO NOT REBOOT your router.  Instead, flash a known good firmware of the proper size (e.g. flash the sysupgrade bin for the OpenWrt version you most recently had)

Glad I found this post. I didn't realize I could reflash the factory firmware without using a serial console. Though, I'm a newbie and have no idea what MTD is either, it sounds easier.

Glad it's of help!  I updated the wiki with full instructions.  It's definitely easier as long as you have SSH access and can handle a bit of command line stuff 

http://wiki.openwrt.org/toh/tp-link/tl- … l.firmware

Got similar result. Router had OpenWRT instaled. Revert to original with mtd without any problem. Flashed with PiratBox 1.0 -wasnt happy with the functionality and tryed to rever the same way but mtd finished much much faster than before and i have flashing leds.

Does ataching serial console means soldering?
What else should i have as hardware to be able to get access to serial console?

I'm having the same issue.

I'm connected to the serial port of the device at 115200 baud and all I'm seeing is garbage.  I'm not sure if it's bricked or what?  I'd assume if the bootloader were fully corrupted the lights would  not blink.

I did try that I think is a pull up resister but I'm not familiar with that setup so it could be wrong.  Either way I'm still seeing nothing of value.