TP-Link RE200

The TP-Link RE200 is a wall-pluggable dual-band wireless range extender (802.11b/g/n and 802.11a/n/ac) based on the MediaTek SoCs with an Ethernet port. The RE200v1 is based on a MT7620A SoC, while the RE200v2, RE200v3 and RE200v4 are based on a MT7628A SoC.

The latest RE200 v5 is not supported by OpenWrt! The device only has 4MB of flash and runs VxWorks by default.

It is possible to install OpenWrt via the TP-Link web interface, but you need to prepare the image first.

Automatic image preparation

The GUI tool (openwrt-imagetool) for creating a web-flashable image based on an original TP-Link firmware image and an OpenWrt image is available in this mercurial repo. Follow the instructions there or in the software. The software basically automates the below steps.

Manual image preparation

You need an original firmware, the -factory.bin image as well as a tool to fix the image checksum. The below steps worked for me (Warning: The firmware upgrade overwrites the boot loader and there is no recovery mode present!):

dd if=re200v1_eu_3_14_2_up_boot\(160329\).bin of=uboot.bin bs=1 count=131584
cat uboot.bin openwrt-ramips-mt7620-tplink_re200-v1-squashfs-factory.bin > stock_upgrade.bin

Then, the Header MD5sum1 needs to be fixed. You can use mktplinkfw -i stock_upgrade.bin to find out the correct MD5 sum and a hex editor to change the bytes of the header sum. The web interface now happily accepts the image.

Simply install the -factory.bin image via the stock web interface. This procedure does not overwrite U-Boot, hence you have higher chances of being able to recover from a bad flash.

You need to configure a TFTP server at 192.168.0.10 and PUT the -factory.bin image as “test.bin”. Then, interrupt the boot loader by pressing '2', accept the defaults and OpenWrt will be installed to flash. RE200 will look for test.bin at 192.168.0.10 having its own IP set as 192.168.0.254.

You need to configure a TFTP server at 192.168.0.184 and PUT the -factory.bin image as “test.bin”. Then, interrupt the boot loader by pressing '2', accept the defaults and OpenWrt will be installed to flash. RE200 will look for test.bin at 192.168.0.184 having its own IP set as 192.168.0.254.

Download an OEM firmware from TP-Link and prepare it as follows (we need to strip the first 0x200 bytes TP-Link header and the next 0x20000 bytes U-Boot):

dd if=re200v1_eu_3_14_2_up_boot\(160329\).bin of=re200v1_tftp.bin bs=1 skip=131584

Transfer this file to your RE200 running OpenWrt:

scp -O re200v1_tftp.bin root@192.168.1.1:/tmp

Install it by forcing a sysupgrade:

sysupgrade -F -n /tmp/re200v1_tftp.bin

Flashing this relatively big file takes some time, so be patient. Afterwards, you should be back to stock.

If you flash the wrong file or mess up the preparation, you will have to disassemble your device and attach serial console!

As an alternative, you can use serial console: Put the resulting re200v1_tftp.bin image as “test.bin” to your TFTP server. Install via Serial as you would install OpenWrt.

Download an OEM firmware from TP-Link and prepare it using the tool tplink-safeloader from the OpenWrt development environment (should be included in the Image Builder):

build_dir/host/firmware-utils/bin/tplink-safeloader -z oem-firmware.bin -o oem-sysupgrade.bin

Transfer the resulting file to /tmp on the device, then run sysupgrade /tmp/sysupgrade.bin -F on the device. -F is necessary because the firmware does not have the upgrade metadata appended.

Attention: After the first reboot, it is advisable to flash an OEM firmware upgrade. Otherwise, the software version is displayed as 0.0.0.

Note: RE200v4 OEM firmware requires a soft_ver HIGHER than its own. This means (for the time being until a solution is found):

If you

  1. Upgrade from stock to OpenWrt or
  2. Upgrade stock to newer stock version

it will require the firmware image to contain a later firmware version than the one currently installed. However, if OpenWrt is always $STOCK+1, you cannot simply flash OpenWrt and revert to stock. Doing so would leave you with the OpenWrt-supplied FW version stored in the soft-version partition. Stock will then refuse any FW with a version lower or equal to this; which simply might not exist.

This also makes the following impossible:

  1. flash OpenWrt
  2. revert to stock
  3. flash OpenWrt again (fails because the firmware already has the version used by this image)

If the obove mentioned serial recovery should fail because of this, one could do the following:

  1. place openwrt-ramips-mt76x8-tplink_re200-v4-initramfs-kernel.bin as test.bin at the tftp server (if you compile that target it will drop in bin/targets along with the other images)
  2. press 4 to enter console mode (write help for available commands)
  3. tftp to load image into ram
  4. bootm to start the kernel
  5. you now have a running openwrt kernel and may bring a working image to /tmp (wget)
  6. sysupgrade with your image

This however will not overwrite soft_ver!

RE200v1 RE200v2/v3/v4
Instruction set MIPS
Vendor MediaTek
bootloader U-Boot
System-On-Chip MT7620A MT7628A
CPU/Speed 580 MHz
Flash-Chip cFeon Q64-104HIP ?
Flash size 8192 KiB
RAM 64 MiB
Wireless No1 SoC-integrated: MT7620A 2.4GHz 802.11bgn SoC-integrated: MT7628AN 2.4GHz 802.11bgn
Wireless No2 On-board chip: MT7610EN 5GHz 802.11ac
USB No
Serial Yes

Front:
TP-Link RE200 (front view)

Back:
TP-Link RE200 (rear view)

Bottom:
TP-Link RE200 (bottom view)

Note: This will void your warranty!

The case is welded together and you can't open it easily. I used a swivel vise to crack open the case. If done carefully, it only leaves a few small marks. I super-glued mine back together after porting OpenWrt.

DANGER: HIGH VOLTAGE inside!
Opening this device exposes
parts under high voltage (110/230 VAC)!

  • Risk of deadly electrical shock
  • Risk of irreversable damage to other components attached, e.g. your PC connected via serial

Make sure to keep your fingers, conductive tools and serial cables away from the high voltage at all times!

Capacitors can still retain dangerous voltages
after disconnection from mains!

Continue at your own risk!

Serial port: 3.3V voltage (measured on RE200v1), 57600 baud, 8N1.

Interrupting U-Boot depends on your terminal: for interrupting U-Boot, you must not send a line feed!

4 pins from on the right (on the picture) starting with a top square shape not connected and following with GND, RX and TX. As noticed in version 1.1, RX and TX may be switched with places. If no output in TTL on boot, try to switch them.

RE200-V4 mainboard view.

U-Boot 1.1.3 (Aug 19 2014 - 17:43:44)

Board: Ralink APSoC DRAM:  64 MB
relocate_code Pointer at: 83fb4000
enable ephy clock...done. rf reg 29 = 5
SSC disabled.
spi_wait_nsec: 29
spi device id: 1c 30 17 1c 30 (30171c30)
find flash: EN25Q64
============================================
Ralink UBoot Version: 4.1.0.0
This UBoot has been rewritten by TPLINK *_*
--------------------------------------------
ASIC 7620_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Aug 19 2014  Time:17:43:44
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 580 MHZ ####
 estimate memory size =64 Mbytes

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   6: Load ART data then write to Flash via TFTP.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.

You choosed 4
                                                                              0
raspi_read: from:20028 len:6


4: System Enter Boot Command Line Interface.

U-Boot 1.1.3 (Aug 19 2014 - 17:43:44)
MT7620 # ?
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy(add cp.b by HouXB)
erase   - erase SPI FLASH memory
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
MT7620 # printenv
bootcmd=tftp
bootdelay=1
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=192.168.0.254
serverip=192.168.0.10
stdin=serial
stdout=serial
stderr=serial

Environment size: 152/4092 bytes
MT7620 #
U-Boot 1.1.3 (Jul  8 2020 - 12:47:21)

Board: Ralink APSoC DRAM:  64 MB
relocate_code Pointer at: 83fb8000
Use New Uboot
Use New Uboot patch lock_dcache addiu $12, 0x1000
flash manufacture id: ef, device id 40 17
find flash: W25Q64BV
*** Warning - bad CRC, using default environment

============================================ 
Ralink UBoot Version: 5.0.0.0
-------------------------------------------- 
ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Jul  8 2020  Time:12:47:21
============================================ 
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 580 MHZ #### 
 estimate memory size =64 Mbytes
RESET MT7628 PHY!!!!!!

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 
default: 3
 0 
   
3: System Boot system code via Flash.
gpioMode1 Reg: 0x571504c4
gpioMode2 Reg: 0x5550555
tplink_turn_off_led
## Booting image at bc020000 ...
text base: 80000000
entry point: 8000c150
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8000c150) ...
## Giving linux memsize in MB, 64

Starting kernel ...


LINUX started...
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/02/12 08:58
  • by 127.0.0.1