Posted: Wed May 27, 2020 13:32 Post subject: Help Unbricking Archer C7 v3
I have an Archer C7 v3 that I'm trying to unbrick. I think I'm close, but I'm having trouble getting the recovery firmware to install via TFTP. Here's what I've done:
1. Downloaded the original TPLink Firmware and renamed it
2. Connected my router to my PC and set the IP to 192.168.0.66
3. Fired up TFTPD64 and browsed to the correct directory
4. Held down the reset button and turned on my router
Through the serial console I can see that the router is booting up, but when it tries to load the new firmware it shows T T then bails and tries to load the old kernel which isn't going to work. This happens with the original firmware, the DDWRT firmwares, and even the stripped down one.
The odd thing is that the original firmware *was* being flashed the first time I tried it, but I got the dreaded "auto update firmware: product id verify fail!" error. Now it's just showing those T's. Any idea on what I can do?
Here's the data from the console:
U-Boot 1.1.4 (May 8 2015 - 11:29:53)
ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(178): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1f)
Tap values = (0x11, 0x11, 0x11, 0x11)
128 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Using default environment
*** Warning *** : PCIe WLAN Module not found !!!
In: serial
Out: serial
Err: serial
Net: ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Scorpion ----> S17 PHY *
Vlan config...
TEST: FINAL REG VAL after TX Calibration - 0x46000000
TEST: FINAL XMII VAL after RX Calibration - 0x56000000
TEST: FINAL ETH_CFG VAL after RX Calibration - 0x00028001
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7335
eth0: ba:be:fa:ce:08:41
eth0 up
athrs17_reg_init_wan done
SGMII in forced mode
athr_gmac_sgmii_setup SGMII done
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
eth1 up
eth0, eth1
Setting 0x18116290 to 0x58b1214f
dup 1 speed 1000
Using eth1 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.86
Filename 'ArcherC7v3_tp_recovery.bin'.
Load address: 0x80060000
Loading: T T ## Booting image at 9f020000 ...
Uncompressing Kernel Image ... OK
Starting kernel ...
Last edited by tempest2084 on Thu May 28, 2020 12:44; edited 1 time in total
Ok I'm back to it giving me the "auto update firmware: product id verify fail!" error. It turns out that TFTPD64 was resetting the IP it was using when I wasn't looking (defaulting to 127.0.0.1).
So now I need to figure out how to edit the header in the firmware file to match what the router wants or somehow bypass it. Any ideas? Here's the log:
Bytes transferred = 16449536 (fb0000 hex)
original_product_id = 00
original_product_ver = 00
recovery_product_id = c7000002
recovery_product_ver = 01
auto update firmware: product id verify fail!
Autobooting in 1 seconds
## Booting image at 9f020000 ...
Uncompressing Kernel Image ... OK
Ok I was able to hex edit the firmware file and it loaded. It flashed and now I can get to login prompt through serial. Not sure what to do next, does this mean everything is restored or that I just restored console functionality?
Something must still be amiss because when I plug the router in it seems like all the lights are blinking like crazy. If I use a serial connection I can get to a login prompt but I have no idea what the user name or password is. Any ideas?
Not sure what to say. It's not DD-WRT, as I flashed it with the Archer firmware. It just says Archer C7. DD-WRT has some sort of notice at the prompt doesn't it? Maybe the default firmware is failing during its load? I'll get a picture of what it says exactly tomorrow.
Either way, the router isn't 100%. I can't get the GUI to come up.
Does pushing reset button for a longer time has any affect ?
Sort of. I get this when it does:
[ 40.760000] OL vap_start +
[ 40.760000] wmi_unified_vdev_start_send for vap 0 (86e20000)
[ 40.768000] OL vap_start -
[ 40.776000] ol_vdev_start_resp_ev for vap 0 (86e20000)
[ 40.780000] ol_ath_vap_join: join operation is only for STA/IBSS mode
[ 40.788000] ol_ath_wmm_update:
[ 40.788000] wmi_unified_vdev_up_send for vap 0 (86e20000)
[ 40.796000] Notification to UMAC VAP layer
[ 41.144000] Read from 0X1FC00 to 0X1FC06: OK
[ 41.152000] Read from 0X1FE00 to 0X1FE08: OK
[ 41.156000] Erase from 0XFA0000 to 0XFB1CA8:.
[ 41.324000] Program from 0XFA0000 to 0XFB1CA8:.
[ 41.752000] write successfully
[ 42.348000] Read from 0X1FE00 to 0X1FE08: OK
[ 42.352000] Erase from 0XFA0000 to 0XFB1CA8:.
[ 42.528000] Program from 0XFA0000 to 0XFB1CA8:.
[ 42.952000] write successfully
[ 43.568000] Erase from 0XFA0000 to 0XFB1CA8:.
[ 43.732000] Program from 0XFA0000 to 0XFB1CA8:.
[ 44.152000] write successfully
[ 45.932000] Restarting system.
After that it goes back to what it was doing before though. Progress?
Joined: 08 May 2018 Posts: 14242 Location: Texas, USA
Posted: Fri May 29, 2020 21:07 Post subject:
Ok, I have to ask, are you absolutely sure that this device is a v3? The only thing I can think of is something seriously got pooched somewhere and the device version is askew or something. I have never seen any of these be so damn difficult. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net