TP-Link Archer C7 v5 is a dual-band AC1750 router, based on Qualcomm/Atheros
QCA9563+QCA9880.
Specification:
- 750/400/250 MHz (CPU/DDR/AHB
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 3T3R 5 GHz
- 5x 10/100/1000 Mbps Ethernet
- 10x LED, 2x button
- UART header on PCB
Flash instruction:
1. Upload lede-ar71xx-generic-archer-c7-v5-squashfs-factory.bin via Web interface
Flash instruction using TFTP recovery:
1. Set PC to fixed ip address 192.168.0.66
2. Download lede-ar71xx-generic-archer-c7-v5-squashfs-factory.bin
and rename it to ArcherC7v5_tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.
Signed-off-by: Arvid E. Picciani <aep@exys.org>
(cherry picked from commit bf39d5594b)
The default image does not fit 2 MB anymore, expand os-image partition
to 4 MB.
Upgrading works transparently via sysupgrade in both directions.
Another option would have been to merge "os-image" and "rootfs" into a
single "firmware" partition using MTD_SPLIT_TPLINK_FW, but just
changing the sizes of the existing partitioning has been deemed safer
and actually tested on an affected device; the maximum for rootfs
changes from 27 MB to 25 MB.
Run-tested on TP-Link Archer C2600.
Signed-off-by: Joris de Vries <joris@apptrician.nl>
[slh: extend comments and commit message, rename rootfs]
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
(cherry picked from commit b72b36653a)
This tool is used to create headers on images for the
D-Link DNS-313 in gemini target.
Will be used after switching gemini to 4.14 kernel.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Having the metainfo between kernel and rootfs prevents us from resizing
the kernel partition as necessary.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
TP-Link Archer C60 v2 is a dual-band AC1350 router, based on
Qualcomm/Atheros QCA9561 + QCA9886.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 7x LED, 2x button
- UART header on PCB
Flash instruction (web):
Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin and use
OEM System Tools - Firmware Upgrade site.
Flash instruction (recovery):
1. Set PC to fixed IP address 192.168.0.66
2. Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin and
rename it to tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root
directory
4. Turn off the router
5. Press and hold reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time the firmware should
be transferred from the tftp server
8. Wait ~30 second to complete recovery
Flash instruction (under U-Boot, using UART):
tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
erase 0x9f030000 +$filesize
cp.b $fileaddr 0x9f030000 $filesize
reset
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
Those converted factory images can be used to regain the original
tp-link firmware.
Be aware of firmware upgrade which additional require changes of
other partition than os-image (kernel) & file-system (rootfs).
OEM factory images from tplink can change nearly all partitions.
However using those images, OpenWrt's sysupgrade will only
modify the partitions os-image and file-system.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
This device is identical as TP-Link RE450
RE355 is a dual-band AC1200 router, based on Qualcomm/Atheros
QCA9558+QCA9880.
Specification:
720/600/200 MHz (CPU/DDR/AHB)
64/128 MB of RAM (DDR2)
8 MB of FLASH (SPI NOR)
3T3R 2.4 GHz
3T3R 5 GHz
1x 10/100/1000 Mbps Ethernet
7x LED, 3x button
UART header on PCB
Flash instruction:
Web:
Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin
and use OEM System Tools - Firmware Upgrade site.
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
According to console log during TP-Link TL-WR840N v5 OEM firmware update
procedure 0x3e0000-0x3f0000 64kB "config" partition, which is used to store
router's configuration settings, is erased and recreated again during every
OEM firmware update procedure, thus does not contain any valuable factory data.
So it is conviniant to use this extra 64kB erase block for jffs overlay due
limited flash size on this device like it used on TP-Link's ar71xx boards.
Signed-off-by: Serg Studzinskii <serguzhg@gmail.com>
mktplinkfw/mktplinkfw2 utilities put JFFS2 EOF market only at 64KB
boundary, this could lead to current device configuration lost during
the sysupgrade on a device, which is equpped with flash with the 4KB
erase block size (e.g. TP-Link Archer C20).
This happens when 64KB and 4KB alignments do not match, so the JFFS2
data is written not exactly at the partition beginnig and startup
scripts can not find the JFFS2 during the first boot just after the
sysupgrade.
Fix this by placing additional JFFS2 EOF marker at a 4KB boundary. Also
keep the marker at 64KB intact, so the utilities will produce images
suitable for devices with both 4KB and 64KB erase blocks.
Fixes: 29a2c2ea80 (add ability to put
jffs2 eof marker into the image)
Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
It can be a replacement for the trx tool. The advantage is that otrx
doesn't alloc buffer for the whole TRX which can be a nice optimization
when creating big images.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
TP-Link TL-WR1043N v5 appears to be identical to the TL-WR1043ND v4,
except that the USB port has been removed and there is no longer a
removable antenna option.
The software is more in line with the Archer series in that it uses a
nested bootloader scheme.
Specifications:
- QCA9563 at 775 MHz
- 64 MB RAM
- 16 MB flash
- 3 (non-detachable) Antennas / 450 Mbit
- 1x/4x WAN/LAN Gbps Ethernet (QCA8337)
- reset and Wi-Fi buttons
Signed-off-by: Tim Thorpe <tim@tfthorpe.net>
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
This increases kernel partition size and fixes rootfs (file-system)
partition size on TP-Link RE450 v1. Also, while we are at it, switch
from statically defined kernel and rootfs partitions in kernel cmdline
to "tplink-fw" mtd splitter.
Fixes: FS#1072.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This patch increases kernel partition size and re-enables image
generation for below TP-Link boards:
- archer-c58-v1
- archer-c60-v1
- tl-wr902ac-v1
- tl-wr942n-v1
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
[commit message and title reworded]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
TP-Link TL-WR840N v5 is simple N300 router with 5-port FE switch and
non-detachable antennas, based on MediaTek MT7628NN (aka MT7628N) WiSoC.
Specification:
- MT7628N/N (580 MHz)
- 64 MB of RAM (DDR2)
- 4 MB of FLASH
- 2T2R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- 1x LED (GPIO-controlled), 1x button
* LED in TL-WR840N v5 is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the green part of the LED.
Orange LED is registered so you can later use it for your own purposes.
Flash instruction:
Unlike TL-WR840N v4 flashing through WEB UI works in v5.
1. Download lede-ramips-mt76x8-tl-wr840n-v5-squashfs-sysupgrade.bin image.
2. Go to 192.168.0.1
3. Flash the sysupgrade image through Firmware upgrade section of WEB UI.
4. Wait until green LED stops flashing and use the router.
Notes:
TFTP recovery is broken since TP-Link reused bootloader code for v4 and
that does not take into account only 4 MB of flash and bricks the device.
So do not use TFTP Recovery or you will have to rewrite SPI flash.
They fixed it in later GPL code,but it is unknown which version of
bootloader you have.
After manually compiling and flashing bootloader from GPL sources TFTP
recovery works properly.
Signed-off-by: Robert Marko <robimarko@gmail.com>
With '-a' specified on the command line, the current code:
- computes an aligned _kernel length_ instead of an aligned _rootfs
offset_.
- does not update the rootfs offset after computing the new kernel
length, and instead retains the layout default.
When the kernel length exceeds the available space left with this
fixed offset, the resulting image header contains invalid data, with
the recorded rootfs offset overlapping the kernel area.
This patch ensures that rootfs offset is correctly computed and
reflected in the final image.
Furthermore, the build_fw() function special cases the rootfs_align
option because of the above invalid logic. This is also fixed and
the computed (or command-line provided, or layout-provided) rootfs_ofs
value is used in all cases.
There seems to be no valid reason to extend the kernel length beyond
the actual length of the kernel itself (OFW images don't do it) so this
part of the existing behavior is dropped.
Example image before the patch:
Kernel data offset : 0x00000200 / 512 bytes
Kernel data length : 0x00158438 / 1410104 bytes
Kernel load address : 0x00000080
Kernel entry point : 0x00000080
Rootfs data offset : 0x00140000 / 1310720 bytes
Rootfs data length : 0x001e4f7e / 1986430 bytes
Example image after the patch:
Kernel data offset : 0x00000200 / 512 bytes
Kernel data length : 0x001583fe / 1410046 bytes
Kernel load address : 0x00000080
Kernel entry point : 0x00000080
Rootfs data offset : 0x00158600 / 1410560 bytes
Rootfs data length : 0x001e4e22 / 1986082 bytes
Tested-by: Mathias Kresin <dev@kresin.me>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Tested-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Tested-by: Henryk Heisig <hyniu@o2.pl>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
TP-Link Archer C7 v4 is a dual-band AC1750 router, based on Qualcomm/Atheros
QCA9561+QCA9888.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 3T3R 5 GHz
- 5x 10/100/1000 Mbps Ethernet
- 7x LED, 2x button
- UART header on PCB
Flash instruction:
1. Upload lede-ar71xx-generic-archer-c7-v4-squashfs-factory.bin via Web interface
Flash instruction using TFTP recovery:
1. Set PC to fixed ip address 192.168.0.66
2. Download lede-ar71xx-generic-archer-c7-v4-squashfs-factory.bin
and rename it to ArcherC7v4_tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.
Flash instruction under U-Boot, using UART:
1. tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
2. erase 0x9f040000 +$filesize
3. cp.b $fileaddr 0x9f040000 $filesize
4. reset
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch moves build_fw() to mktplinkfw-lib.c
The versions of mktplinkfw.c and mktplinkfw2.c had slight
differences in code flow, the version from mktplinkfw.c has been
preferred.
While it's expected that this change will not affect mktplinkfw2,
all use cases could not be tested and so this particular change
is committed separately.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This patch carves out the duplicated code of mktplinfw.c and
mktplinkfw2.c and moves it to mktplinkfw-lib.c
This change is a semantic NOP (the code is unchanged).
To ensure compatibility with gcc-5.x and newer without changing
the code, -fgnu89-inline is added to the build flags for these
two binaries.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This patch removes all the hardcoded board-specific values from
mktplinkfw2.c, and as well as the corresponding support code.
By design, this change also deletes all of the broken matching logic
that was embedded in mktplinkfw2 and aligns the "inspect" behavior
with that of mktplinkfw (i.e. print the parsed header content as
they are without further processing).
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
TP-Link Archer C20 v1 is a router with 5-port FE switch and
non-detachable antennas. It's very similiar to TP-Link Archer C50.
Also it's based on MediaTek MT7620A+MT7610EN.
Specification:
- MediaTek MT7620A (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- 8x LED (GPIO-controlled*), 2x button, power input switch
- 1 x USB 2.0 port
* WAN LED in this devices is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the blue part of the LED.
* MT7610EN ac chip isn't not supported by LEDE. Therefore 5Ghz won't
work.
Factory image notes:
These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device.
We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash. So, to flash this device we must
to prepare image using original firmware from tp-link site with uboot.
Flash instruction:
Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot.
There are two ways to flash the device to LEDE:
1) Using tftp mode with UART connection and original LEDE image
- Place lede-ramips-mt7620-ArcherC20-squashfs-factory.bin in tftp
server directory
- Configure PC with static IP 192.168.0.66/24 and tftp server.
- Connect PC with one of LAN ports, power up the router and press
key "4" to access U-Boot CLI.
- Use the following commands to update the device to LEDE:
setenv serverip 192.168.0.66
tftp 0x80060000 lede-ramips-mt7620-ArcherC20-squashfs-factory.bin
erase tplink 0x20000 0x7a0000
cp.b 0x80060000 0x20000 0x7a0000
reset
- After that the device will reboot and boot to LEDE
2) Using tftp mode without UART connection but require some
manipulations with target image
- Download and unpack TP-Link Archer C20 v1 firmware from original web
site
- Split uboot.bin from original firmware by this command (example):
dd if=Archer_C20v1_0.9.1_4.0_up_boot(160427)_2016-04-27_13.53.59.bin of=uboot.bin bs=512 count=256 skip=1
- Create ArcherC20V1_tp_recovery.bin using this command:
cat uboot.bin lede-ramips-mt7620-ArcherC20-squashfs-factory.bin > ArcherC20V1_tp_recovery.bin
- Place ArcherC20V1_tp_recovery.bin in tftp server directory.
- Configure PC with static IP 192.168.0.66/24 and tftp server.
- Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed for around 6-7 seconds, until
device starts downloading the file.
- Router will download file from server, write it to flash and reboot.
Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com>
When -e option it specified a corresponding flag is set in the
custom_board. By using custom_board as fallback -e option gets respected
for unknown boards.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
As we can now use combined mode in "mktplinkfw" tool to generate the
same header/image, this tool is no longer needed.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
We use combined option in "mktplinkfw" tool for generating initramfs
kernel images and header for kernel inside "safeloader" image type (in
fact, only for TL-WR1043ND v4 at this moment).
There is also "mktplinkfw-kernel" tool, a stripped-down version, used
only for generating "simple" header, for safeloader image types.
This changes how "mktplinkfw" handles combined images (which then will
allow us to drop the stripped-down version of the tool):
- drop "ignore size" command line option (it was used only for combined
images anyway)
- don't require "flash layout id" for combined images (we don't need and
shouldn't limit size of the initramfs kernel and for kernels inside
safeloader images, the "tplink-safeloader" tool does the size check)
- require kernel address and entry point in command line parameters for
combined images (consequence of previous point)
- don't include md5 sum and firmware length values in header (they are
needed only for update from vendor GUI and are ingored in case of
initramfs and "tplink-safeloader" images)
- drop "fake" flash layout for TL-WR1043ND v4 as it's no longer needed
Also, adjust "mktplinkfw-combined" command in ar71xx/image/tp-link.mk to
match introduced changes in "mktplinkfw" tool.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This commit fixes build factory image for TP-Link Archer C60v1.
Size of partition "SupportList" is only 256 bytes, and can
contain only 3 entries.
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
It seems simpler to store all custom (command line set) option values in
a struct identical to the predefined ones. It doesn't require:
1) Having so many global variables
2) Copying data from the predefined boards
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This adds command line option in "mktplinkfw" tool for endianness swap
in kernel load address and entry point fields. As in "mktplinkfw2" tool,
we will need this for little-endian targets, like "ramips".
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
TP-Link TL-WR902AC v1 is a pocket-size, dual-band (AC750), successor of
TL-MR3020 (both devices use very similar enclosure, in same size). New
device is based on Qualcomm QCA9531 v2 + QCA9887. FCC ID: TE7WR902AC.
Specification:
- 650/391/216 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 1x USB 2.0 (GPIO-controlled power)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH
- 2T2R 2.4 GHz (QCA9531)
- 1T1R 5 GHz (QCA9887)
- 5x LED (GPIO-controlled), 2x button, 1x 3-pos switch
- UART pads on PCB (TP1 -> TX, TP2 -> RX, TP3 -> GND, TP4 -> 3V3, jumper
resitors are missing on TX/RX lines)
- 1x micro USB (for power only)
Flash instructions:
Use "factory" image under vendor GUI.
Recovery instructions:
This device contains tftp recovery mode inside U-Boot. You can use it to
flash LEDE (use "factory" image) or vendor firmware.
1. Configure PC with static IP 192.168.0.66/24 and tftp server.
2. Rename "lede-ar71xx-generic-tl-wr902ac-v1-squashfs-factory.bin"
to "wr902acv1_un_tp_recovery.bin" and place it in tftp server dir.
3. Connect PC with LAN port, press the reset button, power up the router
and keep button pressed until WPS LED lights up.
4. Router will download file from server, write it to flash and reboot.
Root access over serial line in vendor firmware: root/sohoadmin.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
LEDE supports few devices using TP-Link firmware format (V2 or V3):
ArcherC20i, ArcherC50, ArcherMR200, TDW8970, TDW8980, TL-WR840N v4,
TL-WR841N v13 and VR200v
Testing mktplinkfw2 tool with official (vendor generated) firmware files
for above devices has shown an error when comparing calculated and
included MD5 sum, e.g.:
> mktplinkfw2 -i Archer_C20iv1_0.9.1_3.2_up_boot\(170221\)_2017-02-21_17.14.03.bin | grep -A 1 MD5Sum1
Header MD5Sum1 : 22 5a cb 92 10 d2 95 7b df 62 9a f8 62 17 37 10 (*ERROR*)
--> expected : ad 19 11 d1 78 98 a7 42 5f 2e 64 da 8a 34 ec cb
This problem has been verified to occur with:
Archer_C20iv1_0.9.1_3.2_up_boot(170221)_2017-02-21_17.14.03.bin
Archer MR200v1_0.9.1_1.1_up_boot_v004a.0 Build 160905 Rel.60037n.bin
TD-W8970v3_0.9.1_2.0_up_boot(160816)_2016-08-16_10.40.57.bin
TD-W8980v1_0.6.0_1.8_up_boot(150514)_2015-05-14_11.16.43.bin
Archer_VR200vv2_0.2.0_0.8.0_up_boot(161202)_2016-12-05_14.39.06.bin
For some images, e.g.:
Archer_C50v3_EU_0.9.1_0.3_up_boot[170417-rel52298].bin
TL-WR840Nv4_EU_0.9.1_4.16_up_boot[170421-rel70692].bin
TL-WR841Nv13_0.9.1_3.16_up_boot(161012).bin
mktplinkfw2 calculates zero MD5 so these has to be fixed separately:
> mktplinkfw2 -i TL-WR841Nv13_0.9.1_3.16_up_boot\(161012\).bin | grep -A 1 MD5Sum1
Header MD5Sum1 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (*ERROR*)
--> expected : 6f 1d 9b 57 5d 42 14 6d bf a2 03 9d 46 7d 55 55
It's most likely that MD5 salt used in mktplinkfw2 has been always wrong
(and it's not a matter of e.g. a vendor change). Update it to fix MD5
calculation.
This has been also verified to calculate MD5 correctly for other (not
yet supported) devices, e.g.:
Archer_C3150v2_0.1.0_0.9.1_up_boot(160812)_2016-08-12_10.52.54.bin
Archer_C3200v1_0.9.1_0.1_up_boot(160704)_2016-07-04_15.48.28.bin
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Mathias Kresin <dev@kresin.me>
TP-Link TL-WR840N v4 and TL-WR841N v13 are simple N300 routers with
5-port FE switch and non-detachable antennas. Both are very similar
and are based on MediaTek MT7628NN (aka MT7628N) WiSoC.
The difference between these two models is in number of available
LEDs, buttons and power input switch.
This work is partially based on GitHub PR#974.
Specification:
- MT7628N/N (580 MHz)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH
- 2T2R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- TL-WR840N v4: 5x LED (GPIO-controlled), 1x button
- TL-WR841N v13: 8x LED (GPIO-controlled*), 2x button, power input
switch
* WAN LED in TL-WR841N v13 is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the green part of the LED.
Factory image notes:
These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device ("0x4"/"0x13" for these devices) but it seems
that anything other than "0" is correct.
We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash.
Tests showed that the GUI upgrade routine copies value of "Additional
Hardware Version" from existing firmware into offset "0x2023c" in
provided file, _before_ storing it in flash. In case of vendor firmware
upgrade files (which all include U-Boot image and two headers), this
offset points to the matching field in kernel+rootfs firmware part
header. Unfortunately, in case of LEDE factory image file which contains
only one header, it points to the offset "0x2023c" in kernel image. This
leads to a corrupted kernel and ends up with a "soft-bricked" device.
The good news is that U-Boot in these devices contains well known tftp
recovery mode, which can be triggered with "reset" button. What's more,
in comparison to some of older MediaTek based TP-Link devices, this
recovery mode doesn't write whole file at offset "0x0" in flash, without
verifying provided file in advance. In case of recovery mode in these
devices, first "0x20000" bytes are always skipped and "0x7a0000" bytes
from rest of the file are stored in flash at offset "0x20000".
Flash instruction:
Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot:
1. Configure PC with static IP 192.168.0.66/24 and tftp server.
2. Rename "lede-ramips-mt7628-tl-wr84...-squashfs-tftp-recovery.bin"
to "tp_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed for around 6-7 seconds, until
device starts downloading the file.
4. Router will download file from server, write it to flash and reboot.
To access U-Boot CLI, keep pressed "4" key during boot.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>