Posted: Fri Nov 21, 2014 14:16 Post subject: whr-600d
I was trying to get dd-wrt form my router WHR-600D
from European site, but I cannot do it there system did not accept my serial # and after I made voice call for the Buffalo support they refuse to help me with it.
Is anyone was able to download and install it in US?
Did it worked, I with I can have dd-wrt on my whr-600d in US. thanks for the help.
fedoracooper, I had a similar experience but mine didn't go so well. After flashing the router through the web UI, I got straight into the boot loop.
I ended up wiring up a serial header and running it through my Arduino Uno in tristate mode. I found that I was getting a kernel panic, just as I suspected:
Because of this, I had no network access to the router, and thus, no TFTP actions worked at all.
I attempted to reboot the router and fiddle with the boot menu options:
Code:
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
I only worked with options 2, 3, 4, and the undocumented option 0.
Option 2:
Option 2 gave prompts, asking me what IP I wanted to use for the router and what IP was serving the firmware, and what the firmware filename was. This seemed promising, but in the end I found that it was not working properly:
The MAC address that the router was telling itself to use (shown via the "printenv" command) was 00:AA:BB:CC:DD:10, but what it was registering via ARP was 00:00:AA:BB:CC:DD. I thought this was going to cause a problem, so I set some persistent ARP table entries on my computer, but that didn't help anything.
Wireshark showed the ARP announce and queries as I expected, and it seemed as though things were reporting properly. The TFTP packets were interesting though. The computer would issue the "WRITE" packet, but it would be met with a corrupt response. The router's "READ" packets seemed correct as well, but since they didn't line up with what the computer was sending, they were unmet.
I gave up on TFTP at this point, save for some fiddling with it via Option 4, which I'll get to in a minute.
Option 3:
This is the default option on the router, and it will just boot whatever the "bootcmd" is set to. For me, this was the "tftpboot" command, which apparently failed back to booting a local image. This was where I got stuck in the kernel panic boot loop.
Option 4:
As you'd expect, option 4 gives you a shell to work with. However, you're quite limited here. I'll post a log of the shell help later, but basically you can read memory, load a file in Kermit mode to a specific memory location, or fiddle with the environment variables and persist them.
Option 0:
For the heck of it, I attempted to hit every undocumented integer at the boot menu to see what would happen, starting with 0. This is also where I stopped. Instead of having to manually go into option 4 and use the "loadb" command to load up a file via Kermit mode, this option plopped you at the same options but with a different starting offset. I figured this would be the way to do it, so I forged ahead.
I first tried with the Buffalo factory firmware (whr600d-160), but it didn't work. I got a "Bad magic number,23845C1F" and the boot process stopped. I tried again with the DD-WRT "firmware-us.bin" and had a similar result, but with a different magic number: 90BF8611.
These numbers seem to be coming from a value in the flash though, which tells me that I need to erase the flash. However, the "erase" command doesn't seem to work, even if I use it as the uboot documentation says.
So as it turns out, loadb and boot option 0 both attempt to load the file into address 0x80100000, but the kernel is booting from 0xbc050000. Because of this, I've attempted to loadb starting at 0xbc050000 with the Buffalo factory image.
Doing a 'md 0xbc050000' shows the DD-WRT image header presently, so I'm hoping that once this Kermit send finishes I'll see the generic "Linux Kernel Image" starting around 0xbc050050 instead.
Word of advice: Use a well-known TFTP server. The things I was using just weren't doing what was expected. Now though, I'm using TFTPD32 and it's doing exactly what one would expect.
However, I'm still getting "Bad Magic Number" regardless of which image file I use. This tells me that my bootloader is pointing at the wrong start address.
I may have the unencrypted buffalo factory firmware at home. Magnetron gave it to me.
I've since pitched the router because i couldn't even get serial out put after a case of brain fart.
I am not sure if this is the one. _________________ I am far from a guru, I'm barely a novice.
I did make a huge bit of progress since my last post. Here's what I did:
OpenWRT has a build just for the WHR-600D, so I grabbed it. The openwrt-ramips-mt7620a-whr-600d-squashfs-sysupgrade.bin build to be specific. I put this in my TFTP directory on my computer and rebooted the router. When the boot menu came up, I selected option 2 and pointed everything to this particular image. Once it was done the router rebooted itself and BAM! Right into the OpenWRT build. I did a few tests and verified that it was indeed working, and put the board back in the case and buttoned it all up.
Now, I know that OpenWRT is not DD-WRT, and it's painfully obvious. However, I couldn't get the DD-WRT or factory Buffalo images to work. Everything I tried with them resulted in a "Bad Magic Number" error.
If anyone is in a similar situation, I suggest you do what I did. You'll need the ramips/mt7620a build of OpenWRT.
If any of the DD-WRT guys are watching this, know that there are people who want to use DD-WRT and that I am one of them.
dunno it's similar realskudd, but here is how:
brand new whr-600d via WEB UI upgraded to 11-20-2014-r25408, now boot loop - it starts and about after 15 seconds reboot. now what?
Posted: Thu Nov 27, 2014 22:09 Post subject: Unbrick / restore factory firmware on Buffalo WHR-600D
How to unbrick / restore factory firmware on Buffalo WHR-600D using the TTL serial port.
***On next posts you can find also the procedure WITHOUT THE TTL serial connection (17dec2014)***
(WHR-600D factory firmware looks that isn't encrypted)
Procedure rev.1 27nov2014
- Download original factory firmware (for example "whr600d-160").
- Open it with hex editor (I used frhed 1.6.0).
- Delete the first 52 bytes (is the header). After that you'll see that the file will start with this bytes sequence "27 05 19 56".
- Save the edited firmware in the TFTP server folder with a new name (for example "firmware_WHR-600D.ram").
- Set static IP on PC side (like 192.168.11.168) and run TFTP server on that IP.
- Now we are ready to flash the router using the TFTP server and serial terminal.
- Check that the router is off with the mode switch set to "Auto" position, the serial port connected with baud rate 57600, network cable connected.
- From serial terminal, immediately after power on the router, press "2" (is the U-boot option "Load system code then write to Flash via TFTP").
- Then you can read the output text to interact with the upload procedure.
- When the flashing will be completed the router will reboot itself, all leds will come on.
- Set automatic IP on PC side.
- When the power led will stop to blink it's possible to access to the router web interface (192.168.11.1).
- User=admin - password=password
- If everything gone right you should see the factory firmware running.
DONE!
- Now from the web interface is possible also to flash the original "WHR-600D professional firmware (dd-wrt based)"
- If someone want to directly restore the DD-WRT (not pro) using the U-boot (option "2") must use "firmware.uimage" rev.24461 (DD-WRT Path: Downloads›betas›2014›06-23-2014-r24461›buffalo_whr_600d). In this case DO NOT need to edit the firmware file with hex editor.
I hope that this procedure will help you to unbrick and/or restore the desired firmware.
Last edited by jspace on Wed Dec 17, 2014 15:33; edited 2 times in total
ty jspace for workaround. I didn't do it (that thing with serial port and opening router case, don't have much knowledge), but managed somehow to boot up router with couple more times plug/unplug power cable.
downloaded 02-04-2014-r23503 firmware and with crossed fingers pressed upgrade button now it's working stable and booting. should I revert default firmware or leave it as is?
ty jspace for workaround. I didn't do it (that thing with serial port and opening router case, don't have much knowledge), but managed somehow to boot up router with couple more times plug/unplug power cable.
downloaded 02-04-2014-r23503 firmware and with crossed fingers pressed upgrade button now it's working stable and booting. should I revert default firmware or leave it as is?
Thank you Ielej for your feedback!
To flash the firmware using the AOSS button did you set tftp server with IP 192.168.11.168 and firmware file name "firmware_WHR-600D.ram"?
Which "r23503 firmware" file did you use? (uimage / webflash / us jp eu)
Ielej, I think you can leave as is.
Anyway I want to try to do some tests to see if is possible revert to factory firmware using the AOSS button.
didn't try tftp, because while reading Your post router booted up normally.
had couple WZR-600DHP2 routers and with no problems installed latest ddwrt firmwares. strange.
won't install ddwrt for now on 600D
I ended up wiring up a serial header and running it through my Arduino Uno in tristate mode.
Can you explain this? Apparently my Google-fu isn't as strong as it once was. It seems I simply need to hook a wire from GND to Reset on the Arduino, and then from Pin 0 and Pin 1 to the board in the same configuration as is shown here: http://wiki.openwrt.org/toh/buffalo/wzr-hp-ag300h
In this case, RX (Arduino Pin 0) goes to RX, and TX (Arduino Pin 1) goes to TX on the WHR-600D board.
Did I miss something, or am I just not getting a good connection?
Also, I assume the serial port settings are 115200, 8N1?
Thanks for the help guys. I've never had this much trouble installing DD-WRT before, and haven't actually had to hook a serial console up to a router since about 2006/2007! I guess I got lucky with the last couple of routers I bought. =)