Joined: 16 Nov 2015 Posts: 3347 Location: UK, London, just across the river..
Posted: Thu Dec 21, 2017 11:35 Post subject:
well if you can successfully log in via serial than erase nvram and reboot this will clear the wrong script held in nvram i guess.. _________________ Atheros
TP-Link WR740Nv1 ------DD-WRT 42514 BS WAP/Switch
TP-Link WR740Nv4 ------DD-WRT 42514 BS AP, NAT
TP-Link WR1043NDv2 ----DD-WRT 42287 BS AP,NAT,AD Block,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 42514 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Netgear R7800 -------DD-WRT 42557 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT,VPN
Netgear R7000 -------DD-WRT 42054 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
It's an netgear r7000. Typing tpl won't stop the cfe.
Start hitting ctrl + c even before turning the router on. Hit them as fast as possible. _________________ I am far from a guru, I'm barely a novice.
Joined: 03 Jan 2017 Posts: 49 Location: Lindau, Germany
Posted: Fri Jan 26, 2018 5:59 Post subject: bebrick R7000/R6300v2
A few weeks ago I bricked my R7000 and R6300v2 while trying WDS: Both router froze short befor DHCP would be enabled.
Assigning a static IP I could ping the router short after Power-Up and I could break the boot loop by CTRL-C on a serial console.
In short a recovery via tftp feature is explained:
During the possible pinging of the router after power-up the router assigns itself the IP 192.168.1.1 and tries to download a vmlinuz file via tftp protokoll from a tftp server running on 192.168.1.2.
To use this you have to install a tftp server and have a vmlinuz file for download (detailed explanation in the link, there you will find a vmlinuz file). Then assign the static IP 192.168.1.2 to your PC connected to the router via LAN network. After power up the router downloads this file and boots in this firmware. The vmwlinuz from the post is an openwrt software with a GUI and a SSH server, you can erase the NVRAM via SSH. Warning: In my config even MAC adresses and standard wlan KEY was erased, maybe more.
You should try if you can download the vmlinuz file from an other PC to see if the tftp server is configured correctly.
During playing around with different the vmlinuz files I renamed a dd-wrt firmware to vmlinuz. This file was downloaded as well. As It has not the correct format there was an error message after download and the boot process failed... and I got an serial console!
Don't know if this will happen every time but in my config I had this nice effect.
A reset of the settings via RESET button has not worked for me, even it explained in older posts. For me it seems that the RESET button has no function at all...
- You can/should monitor this process with Wireshark.
- You see that the downloads starts as the pinging continues during download.
- Read the complete discussion in the link, there is even more information at the end.
- After eecovery rename the vmlinuz file and disable the tftp server. Otherwise the router will load this file after power up if the PC has the IP 192.168.1.2.
- Don't get confused with tftp client and server
- There are several tftp server available , maybe not all of then will work on the PC.
I did this all with a linux system using the build in tftpd service but windows it should be possible as well.
Good look and be patient. For me it took a few hours for the first recovery. The second was done in a few minutes, even with CTRL-C.
both the r7000 and r6300v2 have very good bootloaders, but i've managed to brick an r6300v2 and an r7000 by adventurous flashing of various homebrewed firmwares. i have not tried the ploit vmlinuz approach but that looks promising. it is not clear wot me whcih file to use for vmlinuz for an r7000.
one cause of bootloops on both r6300v2 and r7000 is firmware or nvram that has the gpio maps for reset button incorrect; this makes the firmware reboot becasue it * thinks * that that the reset button is being held down.
as far as i can tell, the most resilient bootloader for the r7000 platform boards (r7000, ea6900, ac68u) is the asus. there is a modified-for-r7000 asus cfe on the linksysinfo boards in an asuswrt-for-r7000 thread. i have been using this for the last year and have not scrod my r7000 yet, despite a number of errant flashes.
i have found that i could burn out the Rx serial line on routers by connecting the +3.3/+5v wire to the Rx pin. obviously stupid. i'm suggesting to get the +5v line off your serial adapter so you don't wreck your router. also, you can wreck the Tx line on your serial adapter by connecting it to the +3.3/+5v line on router. you probably have already tried another serial adapter.
finally, if you overclocked, you can try keeping the router in the freezer and breaking in to the bootloader while it is very cold, and erase your overclock settings. you have to do this before the cpu warms up enough to faial at the overclocked rate. i have read scattered success stories. i tried a couple times with failure.
i hope not to have to atone for router murders. i'm guilty on mnay counts.