Flashing bricked TP-LINK AC1200 Archer C5 v1.20 using JTAG cable

  • Posted on: 19 September 2015
  • By: Michał Turecki

Here is a short list of steps involved.

  1. Connect JTAG cable to 3.3V capable serial interface.
  2. Make sure that cable has TX and RX swapped and only GND is connected, VCC should not be.
  3. Run putty or other terminal software. Use baud rate 115200, 8 data bits + 1 stop bit, no parity or flow control
  4. Boot router into UBoot by holding WPS/Reset switch when powering up. This will set router's IP address to 192.168.0.86 and it will try to boot from TFTP server 192.168.0.66 and download ArcherC5v1_tp_recovery.bin file from root drive. This way any firmware without boot can be flashed without JTAG cable. Firmware with boot (in name) should be stripped of it by running:
    dd if=firmware.bin of=stripped.bin bs=512 skip=257

    But yours is bricked, right?

  5. Get access to the UBoot console: when the message "Autobooting in 1 seconds" appears, quickly type "tpl". Remember - you have 1 second to type it :) UBoot console will welcome you with ap135> prompt.
  6. Put "firmware_noboot.bin" in a root directory of your TFTP server and run following commands:
    setenv ipaddr 192.168.0.86
    setenv serverip 192.168.0.66
    tftp 0x81000000 firmware_noboot.bin
    erase 0x9f020000 +f80000
    cp.b 0x81000000 0x9f020000 0xf80000
    bootm 0x9f020000
    (or reset)
    

After router reboots or 5 minutes passed it should now work (finally). Console should show normal linux boot process instead of an error loading kernel.