Unbrick mr3220v2

From evolulution-plugins
Revision as of 21:57, 3 October 2021 by Admin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

I managed to brick my latest tp-link mr3220v2 beyond the rescue point.

Mr3220v2-bricked.png

This version of router as its older brothers have a serial header connector (unpopulated).

This is marked as "unfriendly" on openwrt site.

What "unfriendly" means here is the header is not routed on the board, they're just open connections, and you have to patch them to correct pads to gain serial output. Unfortunately this wasn't enough to gain access to the router.

Mr3220pads.jpg Serialheader.jpg


While I was able to read the output generated by the router, I wasn't able to type anything in, it seems RX still isn't routed to the header.


So the only option was to flash the chip directly. Which mean desoldering the chip first and put it in a programmer.


This is the first router with this kind of chip, datasheet here: en25q32 datasheet.


Looking at the above screenshot seems the bootloader works fine, it seems kernel got corrupted somewhere in the middle.


The next step was to desolder the flash chip and to put it in a programmer and try to read it at least to see what is going on there.


My initial thought was to use adrduino to read it - it was fairly simpleto read 24XX chips in the past with arduino but I wasn't sure how easy is to read this kind of chip. Then I remember of flashrom project that is able to read several types of flash and knows quite a few programmers and Arduino was among them. The problem was that support for arduino mega was barely working and I didn't have an UNO on me - so to say. But among other programmers there was Raspberry PI supported using linux SPI interface so nothing easier than that.


I hooked the chip to my RPI:


Rpiflash.jpg


and read the flash:


  1. flashrom -r mr3220-flash.bin -V -p linux_spi:dev=/dev/spidev0.0


looking at the resulting file it seems my kernel partition got half way written - I was trying to reflash my openwrt firmware via well know methods and it seems somehow I've reset box too early. Anyway I wasn't sure what to write where, but I managed to find the flash partition structure on openwrt site:


00000000:00020000 boot

00020000:00120000 kernel

00120000:003e0000 rootfs

003e0000:003f0000 config

003f0000:00400000 art


and I was able to find an mr3020-mtd-zip mtd image file from a previous version (mr3020) of this router. Quickly comparing the flash image with this file they seem similar. So now it was a matter of copying the correct partition files over the read flash file and finally upload it back.

Mr3220sock.jpg

In order to be able to flash image with flashrom the image needs to be exactly the same size as en25q32 which is 4194304 (4.0M).


Now, openwrt images we can get from openwrt site (or the original firmware) contain only the kernel,rootfs and perhaps config partition.


In order to be able to write the image we still need boot(containing u-boot) and art partitions.


What is and why we need boot partition is self explanatory.


art partition (Athereos Radio Test) contains calibration data for the wireless interface, without it router won't be able to initialize and bring wireless interface up.


I was able to retrieve original boot partition, however it can easily be rebuild compiling u-boot from source.


Also I managed to recover the original art partition. Initially I was convinced this data is model specific, containing MAC address and other specific data, but in the end this wasn't true.


I grabbed the art file from mr3020 zip and compared with the one I retrieved and there are no differences.