OpenWrt Forum Archive

Topic: Flash MX25L6433F using Raspberry Pi- How to get layout and ROM file

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,

Recently I have bricked an Archer C20 V1 while trying to load OpenWRt on it using TFTP. The only way to recover it is to directly write the flash using SPI.

While I have some idea of soldering/desoldering as well as flashign MCUs with hex files, I have not handled a NOR flash yet. The NOR flash in the router is a MX25l6433f 8 Pin SOP.

While I do not have an SPI device for that kind of chips, what I can do is to write to it using my Raspberry Pi and FlashROM. However, to use FlashROM. first I need the layout file and the ROM file.

I am guessing that I need to do some manipulation with the OpenWRT bin file to create the ROM file (and the layout data is also probably hidden somewhere inside the bin file), but how? I do not know how either file is organized. Can you pls help?

So, you killed your u-boot? In that case, it would be best to recover just that. You should put your u-boot partition information into a layout file and extract a u-boot from a stock firmware file. Then you should only flash this specific region and hope that the end area of your flash did not get overwritten.
After that, you can flash whatever firmware via TFTP.

MBS wrote:

So, you killed your u-boot? In that case, it would be best to recover just that. You should put your u-boot partition information into a layout file and extract a u-boot from a stock firmware file. Then you should only flash this specific region and hope that the end area of your flash did not get overwritten.
After that, you can flash whatever firmware via TFTP.

https://i.imgur.com/x45Q2YKm.jpg



For anyone stumbling upon this post, found some instructions here: https://dev.wlan-si.net/wiki/Routers/TP … lashMemory

No idea whether printenv will still work on a corrupted flash. Will report back after trying.

NOR flash is relatively simple.  Most TP-Links have a bootloader of 128 kbytes followed immediately by the kernel / filesystem image.  The last block in the flash is the ART radio data it also has your MAC address and other unit-specific data.  Hopefully this is still in the chip because it is unit-specific.

So first you want to read your chip and archive whatever remains.  If you're building your own programmer, practice with another chip to be sure it can read and write OK.

Most people are using the CH341A based USB programmers which cost less than $10.

Obtain a stock firmware from the TP-Link website that has "boot" in the name and remove the first 512 bytes of the file, that is a header.  Then flash the rest of the file into your chip starting at address 0.  You should be preserving the last 64k.

The discussion might have continued from here.