Joined: 07 Feb 2013
|Posted: Fri May 10, 2019 21:09 Post subject: Restore default-mac, pin, product-info etc... in ddwrt
|So I had flashed with the early versions of DDWRT and overwritten the following "Factory" partitions:
Given their adresses in the flash, these all end up inside the ddwrt's mdt3 partition (also named "ddwrt")
At boot ddwrt shows its mdt partition table
|bcmsflash: squash filesystem found at block 30
Creating 6 MTD partitions on "bcmsflash":
mtd0 0x000000000000-0x000000040000 : "boot"
mtd1 0x000000040000-0x000000f00000 : "linux"
mtd2 0x0000001e0000-0x000000d30000 : "rootfs" <-- a sub layer partition of mtd1 "linux"
mtd3 0x000000d30000-0x000000f00000 : "ddwrt" <-- a sub layer partition of mtd1 "linux"
mtd4 0x000000ff0000-0x000001000000 : "nvram_cfe"
mtd5 0x000000fe0000-0x000000ff0000 : "nvram"
One way to restore them would be to flash a modified (with my MAC and PIN) version of ddwrt-to-factory.bin (found here: https://forum.dd-wrt.com/phpBB2/download.php?id=34337) as described in https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=283784&postdays=0&postorder=asc&highlight=archer++brick+fix&start=135
Now in ddwrt-to-factory.bin here are the adresses of the "Factory" partitions
|01. partition os-image base 0x000000 size 0x200000
02. partition file-system base 0x200000 size 0xc00000
03. partition default-mac base 0xe00000 size 0x000200
04. partition pin base 0xe00200 size 0x000200
05. partition product-info base 0xe00400 size 0x000200
06. partition partition-table base 0xe10000 size 0x010000
07. partition soft-version base 0xe20000 size 0x000200
08. partition support-list base 0xe31000 size 0x00f000
09. partition profile base 0xe40000 size 0x010000
10. partition default-config base 0xe50000 size 0x010000
Instead, as I didn't want to have to hassle with doing that and then reflashing and reconfiguring dwrt I did the folowing :
1) Replaced MAC and PIN (and did not bother with the CRC as I won't be using it in the end... but you can still do it) with mine in ddwr-to-factory.bin using hexedit and saved as ddwr-to-factory_myMAC_myPIN.bin
MAC is at 0xe00000
PIN is at 0xé00200
2) Extracted the appropriate bytes from ddwrt-to-factory_myMAC_myPIN.bin
"ddwrt" (mtd3) data starts at 0xcf0000=hex(0x000000d30000-0x000000040000) in ddwr-to-factory.bin
"ddwrt" (mtd3) data would therefore end at 0xec0000=hex(0x000000f00000-0x000000040000) in ddwr-to-factory.bin.
However ddwr-to-factory contains only 0xe50000 bytes so 0x070000=0xec0000-0xe5000=458752 bytes are missing
So we just extract all bytes starting from adress 0xcf0000=13565952 so starting from byte 13565953
|tail -c +13565953 ddwrt-to-factory_myMAC_myPIN.bin > part1.bin |
3) Created a file filled with 0x070000=458752 zero bytes
|dd if=/dev/zero of=0x070000zeros.bin bs=458752 count=1 |
4) Concatenated both previous files
|cat ddwrt-to-factory_myMAC_myPIN.bin 0x070000zeros.bin > mtd3_myMAC_myPIN.bin |
5) Flash to ddwrt partition logged in
|mtd write mtd3_myMAC_myPIN.bin ddwrt |
6) You can then test it was applied correctly from within CFE with
|fdump -offset=0xe40000 |
for the MAC
|fdump -offset=0xe40200 |
for the PIN
Joined: 09 Sep 2019
|Posted: Mon Sep 09, 2019 2:54 Post subject:
|a1smith wrote: |
|chrisdmc wrote: |
|Latest DD-WRT firmware (01/25/2016) no longer overwrites TP-Link partitions, try first to revert to stock using TFTP method!
EDIT: The image is only for Archer c9 v1.
For Archer C9 I have modified 12.bin image from @Heinzek to make it flash from DD-WRT web interface.
WARNING: Wait until somebody that have open the router case and has UART, have flash it and confirms that it works! Otherwise you could end-up with a bricked router.
WARNING: The image will overwrite default MAC and Pin on your router, to restore them you will have to modify the image in same way I have posted instructions for Costco US Archer C1900 (black case) or in the worst case flash the 'default-mac' and 'pin' partitions from CFE with correct data.
To validate the image works as expected:
1. Extract ddwrt-to-factory.bin from the attached zip and flash it from DD-WRT web interface as you would normally flash a DD-WRT update image (webflash.bin). Wait until DD-WRT reboots the router.
2. After DD-WRT reboots the router, do a hard-reset by pressing the reset button for around 30secs or until all the lights turn on.
3. Once in TP-Link web interface, flash the router with an official firmware. It should work.
4. Try to flash the official firmware by using TFTP (instructions by @Heinzek - page 2).
I successfully flashed my TP-Link Archer C9 v1 back to stock firmware using your file. I updated the MAC, PIN, and CRC in the file. Here are a few comments to help out others.
The router MAC and PIN in the file are the original Heinzek values, not the values you mention in the C1900 post. I'm listing the values in the file to prevent confusion and so people can confirm they are updating the correct locations.
Router MAC: 14 CC 20 D1 DC AA
WPA key/WPS pin: 79342513 (37 39 33 34 32 35 31 33 in hex)
The CRC value in the file is 0D 28 7D 83.
Here is my router flash history. I did a factory reset using GUI before flashing to DD-WRT.
1. Original TP-Link Firmware (firmware version 3.17.0, build 20150514, release 70681n)
2. reset to factory defaults via GUI
3. DD-WRT 12-24-2015-r28598
4. DD-WRT 02-01-2016-r29002
5. DD-WRT 12-24-2015-r28598
6. reset to factory defaults via GUI
7. revert to stock firmware via DD-WRT GUI (firmware version 3.16.28, build 20141112, release 46311n)
8. flash to latest TP-Link firmware via GUI (firmware version 3.17.0, build 20150514, release 70681n)
Some other details:
- I never turned on jffs2 so I didn't clear any nvram this way.
- I never used 'erase nvram' command.
- From telnet, dmesg command after DD-WRT boot was showing 'Northstar Prototype' as hardware. This was probably due to DD-WRT firmware before 1/25/16 overwriting product info.
- I didn't confirm TFTP flash works (step 4 above) but the other two flashes worked without any problems.
You both have saved my router from becoming paper weight! Thank you very much.
Super easy to follow instructions! Even chaging MAC, Pin and CRC was easy. Whole process took me 10 minutes.
My Archer C9 was flashed with ddwrt and was very very unstable and incredibly slow. The tftpd method did not work (bin file was sent but router would always boot to ddwrt).
Now on stock firmware the little guy is soaring.