Hi, I managed to get a full dump from the  W25Q64.V chip inside my TP-Link W8970. I used the Raspberry Pi interface (https://addpics.com/i/541081446911643522/242-2-c07f.jpg https://addpics.com/i/541081446911643522/242-2-c07f.jpg), flashrom (https://www.flashrom.org/Flashrom),, a breadboard, a clip (http://g02.a.alicdn.com/kf/HTB1v7msIXXX … s-G540.jpg) to avoid soldering wires directly. Now I can easily read/write the flash inside my modem.

This (https://wiki.openwrt.org/toh/tp-link/td … ash_layout) is the flash layout/instructions to install OpenWrt with a serial console, since I get the full dump, can I download the sysupgrade image (https://downloads.openwrt.org/chaos_cal … rade.image) merge it with the dump and after that write everything in the flash?

Should I replace the contents inside the dump file (8MB) with the sysupgrade image (4MB) starting from 0x20000 (avoid uboot)?

Ty for your help

(Last edited by Vento on 14 Jun 2016, 15:01)

Hello,

this has been documented also year ago.

http://www.skfree.sk/2015/08/26/tp-link … ebricking/

Yes, you can replace a part of EEPROM dump with OPENWRT area, but mutch faster is to flash router with Openwrt and then make a dump of EEPROM. To save you time, i have done it time ago and link is available in above article.

Correct size of EEPROM flash is 8388608 bits.

Mgx

Ok done flashed with no problem

Hi skfree,

could you please reupload the tplink8970.zip file ? I'm trying to unbrick my w8970 because I've made your same mistake

me too, i need the file in this article!

I guess it is way easier to load u-boot via UART, extract the u-boot from the latest 8970 v1 firmware image and write it to flash.

The TP-Link firmare image file has a 512 byte header prefixed which need to be skipped. The u-boot follows after the header and has a size of 128KByte (in hex 0x20000 byte). You can extract the u-boot using the linux dd command for example:

dd if="./TD-W8970v1_0.6.0_2.12_up_boot(140613)_2014-06-13_09.17.23.bin" bs=512 skip=1 count=256 of=./TD-W8970v1_0.6.0_2.12_up_boot.bin 

Start u-boot via UART as described in the TD-W8970 wiki article.

Make the TD-W8970v1_0.6.0_2.12_up_boot.bin file available via your local tftp server and run the following commands from the UART loaded uboot prompt:

setenv serverip 192.168.1.2
tftpboot 0x81000000 TD-W8970v1_0.6.0_2.12_up_boot.bin
sf erase 0x0 0x20000 
sf write 0x81000000 0x0 0x20000

The u-boot should be fixed on next power cycle.

Thank you, but i'm in the situatione described in "corrupted UBoot" of the page. Then I need the backup file of the eeprom to write it with Raspberry...

Yeah I got that your u-boot on flash is corrupted.

All lantiq SoCs provide a way to bring the CPU into a mode that it loads the bootloader via serial console instead of trying to read the (broken) u-boot from flash.

That is what I'm talking about and what is known as UART boot. Means, no desoldering of the SPI flash chip, no buspirate/flashrom+Rpi or whatever tool/hardware is required to write the SPI flash chip directly. Only a serial console is required.

Check the link I've provided for details.

File reuploaded

can you please reupload the full dump i need it to recover my modem. Thank you.