This is how to turn your 610N_V2 into an E3000. This will only work on a WRT610N_V2.
As with all procedures of this nature, there is a risk. I take no responsibility for what may happen to your router. It is all on you. If you are not comfortable or there is something you don't understand, do not proceed. You have been warned!
If you have a wrt610n_v2 and you do not know what a static ip is, or what a hex editor is, close this thread and continue browsing the forum.
User FrancoisC shares in the credit for this procedure.
Make sure your anti-virus and firewall software is disabled. Setting a static IP on your rig is recommended.
There is no operational jtag on a V2 or a 3000. If you brick your router, it may not be recoverable.
If you do not follow the instructions exactly you may need serial to recover assuming your cfe flash was good. If you mess up the cfe flash, your router is now a 100+ dollar paper weight!
You will need a hex editor program. notepad is not a hex editor!, winSCP, and you must have SSH enabled in the dd-wrt firmware. winSCP uses SSH for file transfer. You will also need an E3000 cfe , and an E3000 build with a modified header. Both are attached below. The CFE you will have to edit. The modified build is ready to go. Both are attached.
This is what needs to be done:
Backup your existing cfe via http and put it in a safe place.
Edit the attached 3000 cfe with your macs, serial, and the 8 digit easy access pin. All found on your sticker. The CFE is a binary file so you must use a hex editor!
WARNING: This is for a version 19 of a 3000 CFE. There is a version 20 available. However the version 20 in the collection thread does not have data for macs, serials, and pins.
Using the offsets below does not work on a version 20 CFE. The macs will not be correct. Use the version 19 CFE attached!
The mac address is found at offset 0x1E00 in the cfe file. The easy access pin is at offset 0x3FCDC. The serial number is found at offset 0x3FE30.
During the process, DO NOT power cycle your router. NEVER power cycle the router until all finished with the final flash and the router has booted.
Reset your router to defaults and enable SSH.
Once your CFE edits are done, use winSCP to copy the cfe file to the /tmp folder of the router.
Close winSCP and open a telnet session.
Issue the following commands:
cd /tmp
mtd unlock cfe
mtd write -f cfe_new.bin cfe
It only takes a few seconds to write the new cfe. When back at the telnet prompt, exit the session.
Now access the router via your browser.
Using the admin, upgrade tab, flash the attached build selecting to "reset to defaults" after the flash.
If you do not reset to defaults, your router will brick and you will need serial to recover!
Be patient.. This will take a while and the router may reboot three times. BE PATIENT! It can take up to 6 minutes or longer. I believe dd-wrt starts counting down from 360 when flashing. It took till the number 74 was displayed before I got a success message.. and it took a few more minutes after that for the router to boot for the final time. BE PATIENT!
Once booted, access the router, reset to factory defaults once more, then flash a 3000 build without the modified header.
DO NOT POWER CYCLE THE ROUTER AT ANY TIME _________________ [Moderator Deleted]
Last edited by barryware on Mon Jan 03, 2011 20:37; edited 5 times in total
Is there any advantage to converting the 610_v2 to a E3000? I would think that the 610_v2 has better DD-WRT support since the developers like EKO has one to "play" with?
TIA _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Joined: 07 May 2010 Posts: 384 Location: Surgut, Western Siberia
Posted: Wed Jul 07, 2010 16:41 Post subject:
Excellent! For those like me that never used scp before here is a small instruntion how to copy your cfe:
step 1: download Putty SCP (PSCP)
step 2: pscp.exe -pw password cfe_new.bin root@192.168.1.1:/tmp
and voila
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Wed Jul 07, 2010 16:54 Post subject:
nihilo666 wrote:
Excellent! For those like me that never used scp before here is a small instruntion how to copy your cfe:
step 1: download Putty SCP (PSCP)
step 2: pscp.exe -pw password cfe_new.bin root@192.168.1.1:/tmp
and voila
there are lots of different ways the skin the cat.. putty instead of winscp, ssh instead of telnet, etc..
you gotta:
get the cfe to your router
write the cfe
flash the build with the modded header (resetting to defaults)
done _________________ [Moderator Deleted]
Joined: 07 May 2010 Posts: 384 Location: Surgut, Western Siberia
Posted: Wed Jul 07, 2010 17:02 Post subject: Re: Change your 610n V2 into an E3000
barryware wrote:
Using the admin, upgrade tab, flash the attached build selecting to "reset to defaults" after the flash.
If you do not reset to defaults, your router will brick and you will need serial to recover!
Be patient.. This will take a while and the router may reboot three times. BE PATIENT!
Once booted, access the router, reset to factory defaults once more, then flash a 3000 build without the modified header.
After reset to defaults I was not patient enough and power cycle a router. Now I have a dead brick with no access to lan and serial The power led blinks and thats all. This is my SECOND brick - a month earlier killed my RT-N16
Posted: Wed Jul 07, 2010 17:23 Post subject: Re: Change your 610n V2 into an E3000
nihilo666 wrote:
After reset to defaults I was not patient enough and power cycle a router. Now I have a dead brick with no access to lan and serial The power led blinks and thats all. This is my SECOND brick - a month earlier killed my RT-N16
If you don't have serial access then your boot loader, the cfe, is trashed.
Your problem is not about the time you waited before power cycling, firmware re-flashing doesn't trash the cfe.
It is the new cfe that is faulty or the flashing of it that went wrong. _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Wed Jul 07, 2010 17:31 Post subject: Re: Change your 610n V2 into an E3000
LOM wrote:
nihilo666 wrote:
After reset to defaults I was not patient enough and power cycle a router. Now I have a dead brick with no access to lan and serial The power led blinks and thats all. This is my SECOND brick - a month earlier killed my RT-N16
If you don't have serial access then your boot loader, the cfe, is trashed.
Your problem is not about the time you waited before power cycling, firmware re-flashing doesn't trash the cfe.
It is the new cfe that is faulty or the flashing of it that went wrong.
I don't think he has a serial connection hooked up to tell. if the cfe was written, the cfe is good. If the modded build was not flashed, then the router will brick. Just like flashing a v2 build to a 3000. The v2 build is still on the router till flashed with the 3000 build. Now you need serial to recover.
Nowhere did I say to EVER power cycle the unit!
@LOM.. Maybe the best thing to do is delete this thread. I got a feeling there will be more bricks to come. _________________ [Moderator Deleted]
Last edited by barryware on Wed Jul 07, 2010 19:31; edited 1 time in total
Posted: Wed Jul 07, 2010 17:47 Post subject: Re: Change your 610n V2 into an E3000
barryware wrote:
I don't think he has a serial connection hooked up to tell. if the cfe was written, the cfe is good.
That it was written is not a guarantee that it is good, doesn't tell if it was correctly edited.
There is a need for many warnings in your otherwise good tutorial, the words hex editor should also be bolded with a comment that Notepad is not a hex editor.
It is very important that you are in overtype mode and not in insert mode, otherwise the file will increase in length and that will brick the router to 100%.
Maybe better that you do the cfe editing for those who want to upgrade? _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Wed Jul 07, 2010 18:39 Post subject:
I forgot exactly but I believe dd-wrt starts counting down from 360 (seconds) when flashing a build. Somewhere between 360 and zero you get a success message.. Then the router re-boots and that takes some time.
My countdown made it to 72 ~ 74 somewhere before I got the success message after flashing the modded build, then it re-booted a few times (3). I thought it was stuck in a re-boot loop but it was not.
Soooooo.. WAIT!... BE PATIENT!
Edit.. I have been playing with this.. Flashing back & forth.. dd-wrt starts counting a 300 seconds, not 360 _________________ [Moderator Deleted]
Last edited by barryware on Thu Jul 08, 2010 23:11; edited 1 time in total
Posted: Wed Jul 07, 2010 19:11 Post subject: Re: Change your 610n V2 into an E3000
barryware wrote:
@LOM.. Maybe the best thing to do is delete this thread. I got a feeling there will be more bricks to come.
No way, this thread is useful- if someone can't follow directions they shouldn't be attempting the flash.
With respect to "bricked" units, I believe that the SMT resistors can be populated to enable JTAG. It wouldn't be 0 ohm resistors, it would be something like 3K Ohm- I'll see if I can figure out the nominal value.
I'm looking for a 610N to try this on my own. Even one that someone else bricked and wants to donate or sell cheaply. :-)
Anyone attempting this should accept responsibility that if they muck it up they might have a brick. I've personally resurrected several dozen "Dead" routers (including three from ONE PERSON!).
The problem in general with this type of deliberate change is that some folks shouldn't be handling hardware. Some folks just can't handle following directions to the letter- not adding steps, omitting steps, varying steps, etc.
The power led blinks and thats all. This is my SECOND brick - a month earlier killed my RT-N16 
