[tempest2084]

I have an Archer C7 v3 that I'm trying to unbrick. I think I'm close, but I'm having trouble getting the recovery firmware to install via TFTP. Here's what I've done:

1. Downloaded the original TPLink Firmware and renamed it
2. Connected my router to my PC and set the IP to 192.168.0.66
3. Fired up TFTPD64 and browsed to the correct directory
4. Held down the reset button and turned on my router

Through the serial console I can see that the router is booting up, but when it tries to load the new firmware it shows T T then bails and tries to load the old kernel which isn't going to work. This happens with the original firmware, the DDWRT firmwares, and even the stripped down one.

The odd thing is that the original firmware *was* being flashed the first time I tried it, but I got the dreaded "auto update firmware: product id verify fail!" error. Now it's just showing those T's. Any idea on what I can do?

Here's the data from the console:

U-Boot 1.1.4 (May 8 2015 - 11:29:53)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(178): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1f)
Tap values = (0x11, 0x11, 0x11, 0x11)
128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment

*** Warning *** : PCIe WLAN Module not found !!!
In: serial
Out: serial
Err: serial
Net: ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Scorpion ----> S17 PHY *
Vlan config...
TEST: FINAL REG VAL after TX Calibration - 0x46000000
TEST: FINAL XMII VAL after RX Calibration - 0x56000000
TEST: FINAL ETH_CFG VAL after RX Calibration - 0x00028001
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7335
eth0: ba:be:fa:ce:08:41
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
eth1 up
eth0, eth1
Setting 0x18116290 to 0x58b1214f
dup 1 speed 1000
Using eth1 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Filename 'ArcherC7v3_tp_recovery.bin'.
Load address: 0x80060000
Loading: T T ## Booting image at 9f020000 ...
Uncompressing Kernel Image ... OK

Starting kernel ...

[kernel-panic69]

tftpd32 v4.52 32-bit standard edition server/client software with "Use Anticipation Window of 1024 bytes" under settings for TFTP checked might help.

[tempest2084]

I dont know if I can run the 32 bit version on 64-bit Windows 10.

[tempest2084]

Tried this on my 64-bit version. Same results.

[kernel-panic69]

I wouldn't recommend it if it wouldn't run

[tempest2084]

Ok I'm back to it giving me the "auto update firmware: product id verify fail!" error. It turns out that TFTPD64 was resetting the IP it was using when I wasn't looking (defaulting to 127.0.0.1).

So now I need to figure out how to edit the header in the firmware file to match what the router wants or somehow bypass it. Any ideas? Here's the log:

Bytes transferred = 16449536 (fb0000 hex)
original_product_id = 00
original_product_ver = 00
recovery_product_id = c7000002
recovery_product_ver = 01
auto update firmware: product id verify fail!
Autobooting in 1 seconds
## Booting image at 9f020000 ...
Uncompressing Kernel Image ... OK

[tempest2084]

Ok I was able to hex edit the firmware file and it loaded. It flashed and now I can get to login prompt through serial. Not sure what to do next, does this mean everything is restored or that I just restored console functionality?

[tempest2084]

Something must still be amiss because when I plug the router in it seems like all the lights are blinking like crazy. If I use a serial connection I can get to a login prompt but I have no idea what the user name or password is. Any ideas?

[kernel-panic69]

Stock firmware doesn't have a serial login. DD-WRT will be whatever the default is, unless you changed it.

[tempest2084]

Not sure what to say. It's not DD-WRT, as I flashed it with the Archer firmware. It just says Archer C7. DD-WRT has some sort of notice at the prompt doesn't it? Maybe the default firmware is failing during its load? I'll get a picture of what it says exactly tomorrow.

Either way, the router isn't 100%. I can't get the GUI to come up.

[tempest2084]

I won't post the entire boot cycle because it's really long, but here's the last part:

[ 40.752000] OL vap_start +
[ 40.752000] wmi_unified_vdev_start_send for vap 0 (86e20000)
[ 40.760000] OL vap_start -
[ 40.768000] ol_vdev_start_resp_ev for vap 0 (86e20000)
[ 40.772000] ol_ath_vap_join: join operation is only for STA/IBSS mode
[ 40.780000] ol_ath_wmm_update:
[ 40.780000] wmi_unified_vdev_up_send for vap 0 (86e20000)
[ 40.788000] Notification to UMAC VAP layer

After this nothing shows up but if I press enter I get a login prompt:

Archer C7 mips #1 Fri May 8 11:33:00 CST 2015 (none)
Archer C7 login:

[tempest2084]

I've been trying various login combinations but nothing seems to work. So far I've tried:

admin/<nothing>
admin/admin
root/<nothing>
root/root

Any other suggestions?

[servicetech]

[tempest2084]

[kernel-panic69]

Ok, I have to ask, are you absolutely sure that this device is a v3? The only thing I can think of is something seriously got pooched somewhere and the device version is askew or something. I have never seen any of these be so damn difficult.