Posted: Sat Jun 20, 2015 12:41 Post subject: TP-Link Archer C9 Brick Fix (Revert To Stock Possibly)
Hi Everyone,
Figured I would post this here to help some people if they Brick/Semi Brick their router. Just one thing, someone (or myself) will need to strip out the boot loader of the stock firmware if you want to revert to stock.
So this little adventure started when I got fed up with port forwarding not working what so ever with the latest builds of dd-wrt (even putting in the firewall rules it just wont work) Only fix was to shut off the firewall entirely and that is not an option...
So as everyone knows there is a recovery mode on pretty much every new broadcom based router and the Archer C9 is no exception. Now heres the thing, I will walk you all on how to get into recovery mode and flash a new FW through TFTP. Be warned though if you use a stock official firmware without a stripped boot loader you will brick! Only semi brick but still a brick none the less. So if you do this because you don't believe me or just want to test your luck heres how to flash a new FW in recovery mode.
It goes without saying you need a hard wire connection, plug into one of the Lan ports not the WAN.
1. Download a stripped stock firmware for the Archer C9 (make sure its is the current version you upgraded from to dd-wrt) or you will more than likely run into issues) At the time of this writing there is no stripped FW so you can test your luck with stock FW with boot loader and see if you have better luck than I did, but I highly doubt you will.
2. Rename the Firmware to archerc9v1_tp_recovery.bin
3. Set you ethernet address to 192.168.0.66 subnet 255.255.255.0 (the router will get an address of 192.168.0.86)
4. Place archerc9v1_tp_recovery.bin in your TFPT dir that you are serving out
5. Unplug your router, than hold the reset button on the back and plug the router back in. Hold the reset button for 2-4 seconds than let it go. All of the lights will light up after a short time (this is the firmware being downloaded from your TFTP)
6. If all goes well the router should reboot and all is well, if not the power light will blink slow a few times than rapidly blink.
7. At this point your either back on stock firmware or you just semi bricked because you didn't use a firmware with a stripped out boot loader.
8. If you now have the rapid flashing power light you are only semi bricked, I fixed this by renaming the latest dd-wrt beta to archerc9v1_tp_recovery.bin and re-flashed in recovery and I was back up and running in about 2 mins. At the time of this writing it was ftp://ftp.dd-wrt.com/betas/2015/06-19-2015-r27378/tplink_archer-c9/
So at this point we can only fix brick/semi bricks back to dd-wrt or if you bricked your official firmware this will get you back on track with official firmware (just remember it needs to be the exact version you had if official)
As soon as I get binwalk working correctly I will try to strip out the boot loader of all official stock images but don't hold your breath as I am very busy lately. Hopefully one of you can handle stripping the boot loader and people can revert back to stock.
Also if any of you have a fix for the port forward issue please let me know because it is a super annoying bug.
Hi Aboshi.
This is exactly my situation. Recently made a tftp to unbrick my C9 after bad flash. Reflashed sucessfully a DD-WRT firmware without bootloader but I think it´s good to have the option to back to stock firmware when needed. Not sure about the exactly part of firmware that must be stripped on Broadcom routers like this C9. Also there are no Tp-Link firmware with *boot" in the filename available to download for the C9. Do you have the procedure to strip the bootloader for the C9 stock firmware?
Thanks in advance.
There are a few ways to do it. One is binwalk and unpack the FW and than remove the bootloader and repack. Or you can hex it out but can be a little more time consuming looking for the section of the bootloader. Im sure there are references on how to strip out the bootloader if you're going to try to tackle it yourself.
You can even load it up in IDA and analyze it that way.
Posted: Mon Jul 06, 2015 13:04 Post subject: Strings
I have attached a HexDump and Strings from the OFW Archer_c9_v1_150122
I was having issues extracting the lzma but using FMK I was able to extract the FW but binwalk isnt detecting the structure right (I think according to the strings I dump). I also used FMK to flash back the new FW I created within in dd-wrt gui and as a factory recover with tftp with ZERO success.
I believe I am not stripping the bootloader out fully. if anyone else can give this a shot please let me know how your luck goes. Here is a link the the firmware mod kit.
https://code.google.com/p/firmware-mod-kit/
I do suggest getting the latest binwalk source and compiling it and putting it in place of the one in FMK.
I managed to run fmk against a stock firmware using a later binwalk binary as you suggested.
What I am missing at the moment is how I can remove the bootloader part.
So the output of fmk is the following:
$ tree image_parts/
image_parts/
├── footer.img
├── header.img
└── rootfs.img
then in the fmk folder I also have the rootfs folder uncompressed:
$ ls rootfs/
bin dev etc lib mnt proc root sbin sys tmp usr var web
so in the image parts I don't see anything referring to the boot partition.
Good afternoon.
As I understand, the Tp-Link stock firmware with bootloader has the _boot_ in the firmware .bin file name. At present there is no such firmware to download for the C9. Please test using the D9 firmware, just to verify. The firmware path with _boot_ could be found at:
http://www.tp-link.com/en/handlers/download.ashx?resourceid=11587
So at this point the only solution is to wait for a "boot" firmware from TP-Link and strip out the bootloader section from that one.
I would avoid to strip out bootloader and Broadcom 96345 part from the firmware.
Im not to sure about the C9 FW not having the boot loader because if that was the case it would 100% flash in recovery mode either way.
After using FMK to unpack the FW you can see u-boot in the header.img as well in the strings dump. The only other theory I have is a signature in recovery, but with a stripped boot loader you would be able to flash right over dd-wrt within the gui.
I have attached the strings for the Archer D9 that was posted above and I see nothing referring to u-boot.
Hi Aboshi, accordingly to Wikidev this router uses CFE 6.37.14.93 from Broadcom instead of U-Boot, commonly used with the Atheros based Tp-link routers.
https://wikidevi.com/wiki/TP-LINK_Archer_C9_v1.x