LEDE/OpenWrt for TP-Link Archer C20i

NEWS

2016-09-01: New prebuilt sysupgrade image.

2016-07-28: All patches are available.

2016-07-23: Everything except 5GHz is working - prebuilt images provided as download.

2016-07-20: Added info on recovery and TFTP flashing.



You may also consult the OpenWrt wiki at https://wiki.openwrt.org/toh/tp-link/archer-c20i

Support Status

Works Does not work

Download Prebuilt Images

Based on LEDE r1085, kernel 4.4.15.
Based on LEDE r1479, kernel 4.4.9.
As I currently have no device to test on, I can only provide this image to the best of my knowledge.
This image should resolve the issues around the target/toolchain. One has experienced this
e.g. during opkg update. (24kec+dsp vs. 24kc)

Flashing LEDE/OpenWrt

I didn't have a single success when uploading firmware images to the factory
web-GUI. Instead, this always led me to a soft-brick / boot-loop, where
this would help.

For the first flash for factory to LEDE/OpenWrt I have always had success
with a custom TFTP recovery image.
Either download the file mentioned above, or build it yourself (optional):
Grab TP-Link's image at tp-link.com (extract the *.bin and save as archer_original.bin)
get an image for the Archer C20i, e.g. LEDE and merge both:
We want to get the U-Boot partition from the original image and concatenate it
with the firmware from our image:
dd if=archer_original.bin of=archer_uboot.bin bs=512 count=256 skip=1
cat archer_uboot.bin lede-ramips-mt7620-ArcherC20i-squashfs-sysupgrade.bin > ArcherC20iV1_tp_recovery.bin
For flashing, you hold down the WPS/Reset button and power up the unit.
After 10 seconds it will request the file ArcherC20iV1_tp_recovery.bin from
a TFTP server at address 192.168.0.66 (could be 192.168.1.66 on some versions).
It should then automatically reboot into the new operating system.

Once you are on LEDE/OpenWrt you can update using sysupgrade.

Going back to factory / TFTP-flash

The reason why this router gets bricked so easily is the fact that
the bootloader (when doing a TFTP upload) always starts writing flash at
adress 0x0 -- thus overwriting the U-Boot partition.
If you want to go back to factory, get TP-Link's image and strip off the
first 512 bytes:
dd if=archer_firwmare.bin of=ArcherC20iV1_tp_recovery.bin bs=512 skip=1
Hold down the WPS/Reset button and power up the unit. After 10 seconds
it will request the file ArcherC20iV1_tp_recovery.bin from a TFTP server
at address 192.168.0.66 (could be 192.168.1.66 on some versions).
It should then automatically reboot into the given image.

Background Info

The *.bin-file you can download at TP-Link is built as follows:
512 bytes file header
128 kBytes U-Boot
7.6 MBytes Firmware
For TFTP flashing, images MUST start with the U-Boot partition.
If you want to flash your own firmware, you replace the 7.6 MB
at the end of the file with your own firmware. Anyway, you have to strip
off the first 512 bytes file header.

Recovering from a bad flash / Unbrick your router

Believe me, bricking a C20i can happen really fast. Here's my routine to
unbrick using a RaspberryPi. First, desolder the SPI flash chip (labelled U18).
Get an old 40-wire IDE cable and cut off one connector leaving ca. 10cm cable on it.
Connect the IDE wires to the chip as follows:
Flash PinMeaningIDE Pin
1CS24
2DO21
3WP17
4GND25
5DI19
6CLK23
7HOLD17
8VCC17
A quick&dirty job might look like this:


Connect the IDE cable to your RaspberryPi (Pin 1 is on the left)
On the shell type:
raspi-config
9 - Advanced Options
A5 - SPI
Yes
Ok
Finish
Get a copy of flashrom from flashrom.org
Extract the sources, and type
make CONFIG_ENABLE_LIBPCI_PROGRAMMERS=no CONFIG_ENABLE_LIBUSB0_PROGRAMMERS=no CONFIG_ENABLE_LIBUSB1_PROGRAMMERS=no
to compile the software without additional programmer interfaces.
As we will flash the whole chip's contents, we first have to recover your
hardware configuration (MAC address, etc.) which is very unlikely to be destroyed
by the failed flashing attempt. Dump the chips contents by
./flashrom -r c20i_original.bin -p linux_spi:dev=/dev/spidev0.0
and then cut out the hardware dependent configuration partitions:
dd if=c20i_original.bin of=c20i_configs.bin bs=64k count=4 skip=124
Get TP-Link's original firmware, e.g. Here and extract the archive.
I've immediately renamed the file to get rid of the brackets. The we cut off the file header:
dd if=archer_firwmare.bin of=archer_stripped.bin bs=512 skip=1
Merge these two binaries and we should have a file of exactly 8388608 bytes length.
cat archer_stripped.bin c20i_configs.bin > new_flash.bin
Finally flash this file to the IC:
./flashrom -w new_flash.bin -p linux_spi:dev=/dev/spidev0.0
You're done. Solder the chip back to your router board and it will boot up
TP-Link's firmware just fine.

Modifications / Patches




If there are any new findings, problems or questions contact me at: p [dot] wassi [at] gmx [dot] at

Last modified: 2017-02-26 18:12:32