TP-Link Archer C9 Brick Fix (Revert To Stock Possibly)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 9, 10, 11 ... 20, 21, 22  Next
Author Message
chrisdmc
DD-WRT Novice


Joined: 18 Jan 2016
Posts: 19

PostPosted: Tue Jan 19, 2016 1:35    Post subject: Costco Archer C1900 (black case) revert to stock Reply with quote
Latest DD-WRT firmware (01/25/2016) no longer overwrites TP-Link partitions, try first to revert to stock using TFTP method!

Please first read the entire post before attempting to flash.

Have got the black version of Archer C1900 from Costco and after flashing DD-WRT I was unable to revert to stock by using TFTP method. Although have figured out that the required file that the router was looking for was named ArcherC9v2_tp_recovery.bin, once the file is downloaded by the router, the file gets rejected by CFE.

Connecting with UART, the problem is that CFE ( bootloader) is reading the product-info partition to match the new firmware image against the product version of the router before attempting to flash it. DD-WRT overwrites product-info (as well as default-mac and pin) partitions making the revert to stock using TFTP method impossible.

Expect Archer C9 to have the same problem since the partition layout is identical.

Thanks to work already done by @Heinzek and @Aboshi I was able to create a revert to stock image that can be used directly from DD-WRT or from CFE to restore the stock firmware.
Yes, that means you do not have to open the router case when using the first method.

Must read before flashing:

WARNING: This is for Costco Archer C1900 (black case), not for Archer C9 (white case). For Archer C9 a similar approach can be used to create a similar image by using the original C9 firmware.

WARNING: This image will overwrite not only os-image and file-system partitions but also default-mac, pin, product-info, partition-table, soft-version, support-list, profile and default-config partitions. user-config, log, radio-bk, radio and CFE will not be touched (unless you do something wrong from the command line). As stated before, I have found that DD-WRT overwrites at least default-mac to product-info partitions and in my case since I have tried JFFS support, have found partition-table, soft-version and support-list overwritten with other data too.

Since DD-WRT was not stable on my router, having intermittent disconnects on WiFi, for now was best to revert to stock until DD-WRT will be changed to not overwrite the above partitions and also have the WiFi and JFFS2 problems fixed.

DISCLAIMER: Have already tried the image a few times and was able to return to stock by flashing from DD-WRT web interface. Once to stock, you can flash the original image from TP-LINK website using TP-LINK web interface. It would be best if somebody that has UART and already opened the router case as I did would confirm first the image works as expected on his router too. Use at your own risk.

After flashing from DD-WRT, do not forget to reset the router by pressing the hardware reset button until all the lights turn on. It might take 20-30 seconds until the router will be accessible after the reset. Reset will also help to restore the MAC and Pin baked in the image.

Always flash it using wired connection since it's expected to be more stable and less risky especially if you do not want to open the router and restore it using UART. In case the transfer fails before being complete you might get a brick device until you open it. Let DD-WRT complete the flash and reboot the router before attempting the hard-reset. Once done, you will have to change the IP address from 192.168.1.1 (DD-WRT) to 192.68.0.1 (TP-LINK) to connect to TP-LINK web interface.

How to use the revert image:

1. Just flash ddwrt-to-factory.bin as you flash a DD-WRT update (usually named archer-c1900-webflash.bin) from the DD-WRT web interface.
2. From CFE run the command line:

flash -noheader -offset=0x0 192.168.0.66:ddwrt-to-factory.bin flash0.trx

The mapping between the addresses on the router versus the ones in the image file:

01. partition os-image base 0x400000 size 0x200000 newbase 0x000000
02. partition file-system base 0x240000 size 0xc00000 newbase 0x200000
03. partition default-mac base 0xe40000 size 0x00200 newbase 0xe00000
04. partition pin base 0xe40200 size 0x00200 newbase 0xe00200
05. partition product-info base 0xe40400 size 0x00200 newbase 0xe00400
06. partition partition-table base 0xe50000 size 0x10000 newbase 0xe10000
07. partition soft-version base 0xe60000 size 0x00200 newbase 0xe20000
08. partition support-list base 0xe61000 size 0x0f000 newbase 0xe21000
09. partition profile base 0xe70000 size 0x10000 newbase 0xe30000
10. partition default-config base 0xe80000 size 0x10000 newbase 0xe40000

The image will set your MAC address to: AA-BB-CC-CC-BB-AA and the pin to something like: 12345670.

If you want to restore the MAC and pins that are written on your back of your router you have to hex edit ddwrt-to-factory.bin image using a hex editor and generate a new CRC32 code using the CRC32 small app attached, here are the instructions:

1. To change MAC, go to offset 0xe00000 in the image file, skip first 8 bytes (first 4 are for MAC address size and next 4 for padding) and change next 6 bytes from 'AA BB CC CC BB AA' to what ever is set on your router back.
2. To change Pin, go to offset 0xe00200 in the image file, skip the first 8 bytes (padding) and change the pin from 11111111 to what ever is set on your router back. In this case you have to edit the pin number as text (decimals) and not as hex values.

After making the changes you are not done. You need to run CRC32.exe on the modified image to generate a new CRC32 that you will overwrite on the image at offset 0x8. If this step is skipped, the image will not be accepted by DD-WRT due to mismatch between the content and the CRC value.

In this case you need to change '6E 58 26 69' with the code generated by CRC32 app.
To get the new CRC, run following command from the command prompt on the image that has the MAC and/or PIN already changed:

crc32 ddwrt-to-factory.bin 0xc

Once the old CRC32 is overwritten with the new one, save the file and use it to flash your router from DD-WRT web interface or from CFE if you have the UART and have open the router case.

If changing the MAC and Pin seems to hard, just use the default image and once you are in the TP-Link web interface just overwrite the MAC and Pin with desired values.

If CRC32 doesn't start, you might have to download and install Visual C++ Redistributable for Visual Studio 2015 (vc_redist.x64.exe).



CostcoArcherC1900(Black)RevertToStock.zip
 Description:

Download
 Filename:  CostcoArcherC1900(Black)RevertToStock.zip
 Filesize:  10.41 MB
 Downloaded:  560 Time(s)



Last edited by chrisdmc on Tue Jan 26, 2016 17:26; edited 1 time in total
Sponsor
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7631

PostPosted: Tue Jan 19, 2016 10:40    Post subject: Re: Costco Archer C1900 (black case) revert to stock Reply with quote
chrisdmc wrote:


Connecting with UART, the problem is that CFE ( bootloader) is reading the product-info partition to match the new firmware image against the product version of the router before attempting to flash it. DD-WRT overwrites product-info (as well as default-mac and pin) partitions making the revert to stock using TFTP method impossible.


dd-wrt does not overwrite those partitions.

chrisdmc wrote:

01. partition os-image base 0x400000 size 0x200000 newbase 0x000000
02. partition file-system base 0x240000 size 0xc00000 newbase 0x200000


Max allowed size for the whole firmware is then 0x200000 + 0xc00000 , ie 0xe00000.
The length of ddwrt is only 0xdce400.


Show the partition info from dmesg directly after booting, it will tell for sure what ddwrt uses and not uses.

_________________
Kernel panic: Aiee, killing interrupt handler!
Heinzek
DD-WRT User


Joined: 07 Apr 2013
Posts: 59
Location: Poland

PostPosted: Tue Jan 19, 2016 14:38    Post subject: Reply with quote
Archer C9 Firmware: DD-WRT v3.0-r28598 std (12/24/15)
dmesg :
Quote:
[...]
bcmsflash: squash filesystem found at block 28
Creating 6 MTD partitions on "bcmsflash":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000ff0000 : "linux"
0x0000001c0000-0x000000de0000 : "rootfs"
0x000000de0000-0x000000ff0000 : "ddwrt"
0x000000ff0000-0x000001000000 : "nvram_cfe"
0x000000fe0000-0x000000ff0000 : "nvram"
nflash: found no supported devices
[...]


Maybe firmware not overwrite important router data but partition dd-wrt (mtd3) erase these data.

Read @<Kong> post:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=968541#968541

_________________
tplinkforum.pl - Polskie forum poświęcone tematyce urządzeń firmy TP-link i Neffos
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7631

PostPosted: Tue Jan 19, 2016 15:34    Post subject: Reply with quote
Heinzek wrote:
Archer C9 Firmware: DD-WRT v3.0-r28598 std (12/24/15)
dmesg :
Quote:
[...]
bcmsflash: squash filesystem found at block 28
Creating 6 MTD partitions on "bcmsflash":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000ff0000 : "linux"
0x0000001c0000-0x000000de0000 : "rootfs"
0x000000de0000-0x000000ff0000 : "ddwrt"
0x000000ff0000-0x000001000000 : "nvram_cfe"
0x000000fe0000-0x000000ff0000 : "nvram"
nflash: found no supported devices
[...]


Maybe firmware not overwrite important router data but partition dd-wrt (mtd3) erase these data.

Read @<Kong> post:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=968541#968541


Yes mtd3 will kill that data but it should only happen if you enable jffs.
Strange that Kong didn't notify Brainslayer about it, this could have been fixed half a year ago.

I will tell lBrainslayer but I want to know:

This is still going on in latest builds, right?
The router is correctly detected as Archer C9 and not some generic Northstar?
A wrong router detection will give wrong partitioning..

_________________
Kernel panic: Aiee, killing interrupt handler!
chrisdmc
DD-WRT Novice


Joined: 18 Jan 2016
Posts: 19

PostPosted: Tue Jan 19, 2016 17:24    Post subject: Reply with quote
Never mentioned DD-WRT firmware itself overwrites product-info partition (or MAC, Pin ones).

Here are the partitions with DD-WRT firmware from December 24th:

bcmsflash: squash filesystem found at block 30
Creating 5 MTD partitions on "bcmsflash":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000240000 : "linux"
0x000000240000-0x000000ee0000 : "rootfs" -> This one seems to be the one overwriting mac, pin, product-info and a few other partitions after.
0x000000fe0000-0x000000ff0000 : "radio"
0x000000ff0000-0x000001000000 : "nvram"
nflash: found no supported devices

Partition not affected by the "rootfs" is the log one:

partition log base 0xee0000 size 0x100000

Clearly, "rootfs" partition should end at 0xe40000 where "default-mac" partition starts or in case DD-WRT has to mount the space as part of "rootfs" partition, to make sure, the range starting with "default-mac" will be read-only.
Not very familiar of how "rootfs" is used but after first boot, "default-mac", "pin" and "product-info" partitions original content is gone. Dumping the content from CFE clearly shows that.

Will try later with the latest firmware available.

Thanks
chrisdmc
DD-WRT Novice


Joined: 18 Jan 2016
Posts: 19

PostPosted: Wed Jan 20, 2016 4:57    Post subject: New firmware doesn't fix the partition overwrite issue Reply with quote
Have just flashed with today firmware (01-19-2016-r28882) and those partitions are still overwritten.

I'm just seeing a 6th partition called DD-WRT and here is the partition layout:

bcmsflash: squash filesystem found at block 36
Creating 6 MTD partitions on "bcmsflash":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000ff0000 : "linux"
0x000000240000-0x000000e70000 : "rootfs"
0x000000e70000-0x000000ff0000 : "ddwrt"
0x000000ff0000-0x000001000000 : "nvram_cfe"
0x000000fe0000-0x000000ff0000 : "nvram"
nflash: found no supported devices

Default-mac to support-list partitions still overwritten by the "rootfs".
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7631

PostPosted: Wed Jan 20, 2016 5:32    Post subject: Re: New firmware doesn't fix the partition overwrite issue Reply with quote
chrisdmc wrote:
Have just flashed with today firmware (01-19-2016-r28882) and those partitions are still overwritten.

I'm just seeing a 6th partition called DD-WRT and here is the partition layout:

bcmsflash: squash filesystem found at block 36
Creating 6 MTD partitions on "bcmsflash":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000ff0000 : "linux"
0x000000240000-0x000000e70000 : "rootfs"
0x000000e70000-0x000000ff0000 : "ddwrt"
0x000000ff0000-0x000001000000 : "nvram_cfe"
0x000000fe0000-0x000000ff0000 : "nvram"
nflash: found no supported devices

Default-mac to support-list partitions still overwritten by the "rootfs".


and now I assume that you have a misdetection of router type, the names of the 2 nvram areas indicates that.

The most common reason for misdetection is user doing "erase nvram" before booting ddwrt.
One or more of the nvram variables used for detecting router type is missing so ddwrt will see the router type as "Broadcom Northstar" and will use an auto generated generic partition table instead of the router type specific one.

_________________
Kernel panic: Aiee, killing interrupt handler!
chrisdmc
DD-WRT Novice


Joined: 18 Jan 2016
Posts: 19

PostPosted: Wed Jan 20, 2016 6:59    Post subject: Re: New firmware doesn't fix the partition overwrite issue Reply with quote
LOM wrote:

and now I assume that you have a misdetection of router type, the names of the 2 nvram areas indicates that.

The most common reason for misdetection is user doing "erase nvram" before booting ddwrt.
One or more of the nvram variables used for detecting router type is missing so ddwrt will see the router type as "Broadcom Northstar" and will use an auto generated generic partition table instead of the router type specific one.


DD-WRT web interface shows the router as Archer C9 instead of Archer C1900. Double-checked and factory-to-ddwrt.bin file correctly identifies as Archer C1900 so it's not the case that I have upload the wrong file.

mtd5 also shows Archer C9, where mtd4 shows Archer C1900.

'DD_BOARD=TPLINK Archer C9' in mtd5 and 'wps_modelname=Archer_C1900' in mtd4!

Have not manually erased nvram. Just flashed the router from TP-Link web interface.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7631

PostPosted: Wed Jan 20, 2016 8:45    Post subject: Reply with quote
I have discussed the problem with Brainslayer and the solution is to remove the ddwrt partition which is used for jffs.
So no jffs on this router with so small flash and where the flash is stupidly used thereby limiting the firmware size to 14MB.
jffs is btw completely unnecessary on routers with an USB port, it is much better to mount and write to an external USB flash stick than doing it to internal flash.

Please check that partitioning is ok in next released ddwrt build!

_________________
Kernel panic: Aiee, killing interrupt handler!
chrisdmc
DD-WRT Novice


Joined: 18 Jan 2016
Posts: 19

PostPosted: Wed Jan 20, 2016 17:03    Post subject: Reply with quote
Thanks guys for all your help.
RalphMalph
DD-WRT Novice


Joined: 29 Dec 2011
Posts: 40

PostPosted: Thu Jan 21, 2016 10:53    Post subject: Reply with quote
But still no revert possibility from ddwrt to factory for the TPLINK ARCHER C9.
Confused too bad
chrisdmc
DD-WRT Novice


Joined: 18 Jan 2016
Posts: 19

PostPosted: Fri Jan 22, 2016 4:33    Post subject: Reply with quote
Latest DD-WRT firmware (01/25/2016) no longer overwrites TP-Link partitions, try first to revert to stock using TFTP method!

EDIT: The image is only for Archer c9 v1.

For Archer C9 I have modified 12.bin image from @Heinzek to make it flash from DD-WRT web interface.

WARNING: Wait until somebody that have open the router case and has UART, have flash it and confirms that it works! Otherwise you could end-up with a bricked router.

WARNING: The image will overwrite default MAC and Pin on your router, to restore them you will have to modify the image in same way I have posted instructions for Costco US Archer C1900 (black case) or in the worst case flash the 'default-mac' and 'pin' partitions from CFE with correct data.

To validate the image works as expected:

1. Extract ddwrt-to-factory.bin from the attached zip and flash it from DD-WRT web interface as you would normally flash a DD-WRT update image (webflash.bin). Wait until DD-WRT reboots the router.
2. After DD-WRT reboots the router, do a hard-reset by pressing the reset button for around 30secs or until all the lights turn on.
3. Once in TP-Link web interface, flash the router with an official firmware. It should work.
4. Try to flash the official firmware by using TFTP (instructions by @Heinzek - page 2).



ArcherC9RevertToStock.zip
 Description:

Download
 Filename:  ArcherC9RevertToStock.zip
 Filesize:  10.09 MB
 Downloaded:  1795 Time(s)



Last edited by chrisdmc on Sun Feb 07, 2016 4:28; edited 2 times in total
chrisdmc
DD-WRT Novice


Joined: 18 Jan 2016
Posts: 19

PostPosted: Tue Jan 26, 2016 17:20    Post subject: Reply with quote
Hi,

With build from yesterday (25th) mac and all other "important" partitions are no longer overwritten, here is partition layout:

bcmsflash: squash filesystem found at block 36
Creating 6 MTD partitions on "bcmsflash":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000ff0000 : "linux"
0x000000240000-0x000000df0000 : "rootfs"
0x000000df0000-0x000000ff0000 : "ddwrt"
0x000000ff0000-0x000001000000 : "nvram_cfe"
0x000000fe0000-0x000000ff0000 : "nvram"
nflash: found no supported devices

@LOM: Does the partition layout looks right? Because I thought, "nvram_cfe" partition was supposed to be called "radio"!

Jffs2 support is removed as expected from DD-WRT web interface, "ddwrt" partition will preserve mac, product-info and other router important Tp-Link partitions.

Device is still identified as Archer C9 (don't care how it's called as long as it works Wink.

As others mentioned, the WAN led being turn on instead of LAN led (small inconvenient and not that important).

So far the router seems to be stable with DD-WRT firmware, I will test it more and even try it to use as a daily driver.

Thanks DD-WRT team.
chrisdmc
DD-WRT Novice


Joined: 18 Jan 2016
Posts: 19

PostPosted: Tue Jan 26, 2016 17:23    Post subject: Reply with quote
BTW, with latest DD-WRT firmware (01/25/2016), no need to flash it with my custom image, just try with TFTP method using the original firmware image.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7631

PostPosted: Wed Jan 27, 2016 4:00    Post subject: Reply with quote
chrisdmc wrote:
Hi,

With build from yesterday (25th) mac and all other "important" partitions are no longer overwritten, here is partition layout:

bcmsflash: squash filesystem found at block 36
Creating 6 MTD partitions on "bcmsflash":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000ff0000 : "linux"
0x000000240000-0x000000df0000 : "rootfs"
0x000000df0000-0x000000ff0000 : "ddwrt"
0x000000ff0000-0x000001000000 : "nvram_cfe"
0x000000fe0000-0x000000ff0000 : "nvram"
nflash: found no supported devices

@LOM: Does the partition layout looks right? Because I thought, "nvram_cfe" partition was supposed to be called "radio"!



They are called nvram_cfe and nvram in ddwrt firmware and has always been so the partitiontable you showed a few posts up and which you say is from a dec 24 ddwrt firmware is confusing and is probably from stock firmware. Size of linux partition also indicates that.

chrisdmc wrote:


Device is still identified as Archer C9 (don't care how it's called as long as it works Wink.



I don't think there is a way to distinguish between C1900 and C9, at least not early in the boot sequence.
Router type detection is mainly based on a combination of board identifier nvram variables.

_________________
Kernel panic: Aiee, killing interrupt handler!
Goto page Previous  1, 2, 3 ... 9, 10, 11 ... 20, 21, 22  Next Display posts from previous:    Page 10 of 22
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum