WZR-600DHP with locked IDEXX custom firmware.

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
jacubillo
DD-WRT Novice


Joined: 28 Jan 2014
Posts: 6

PostPosted: Wed Jun 01, 2016 2:15    Post subject: WZR-600DHP with locked IDEXX custom firmware. Reply with quote
Hi,

Bought a cheap Buffalo WZR-600DHP router on ebay and when it arrived first thing I did was plug it and hold it's reset button for 10seconds to do a factory reset. Turns out the router kept it's IDEXX and LAB_Guest SSIDs... looking more into it, I found out it has a custom ddwrt firmware made by a veterinary company named (you guessed it) IDEXX and used to connect their analyzing equipment or whatever...

I managed to get myself a serial connetion with a usb-serial converter and arrived at a ar7100> console prompt. I'm trying to tfp a new ddwrt image but when I try to boot into it I get a Bad Magic Number, Bad Header Checksum, and Bad Data CRC errors. This is the first time I try to use a router's serial console and flash it by tftp so this is all new to me.

What can be made to re-flash this router with a "normal" ddwrt image or even with the stock buffalo firmware?
I can post the boot messages and all env variables if required. U-boot shows as>

BUFFALO U-BOOT Ver 1.00
== CPU:680MHz, DDR:340MHz, AHB:170MHz ==
AP96 (ar7100) U-boot 0.0.1
DRAM: 128 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 266k for U-Boot at: 83fbc000

I don't want to do anything that may brick even more this router...
Sponsor
jacubillo
DD-WRT Novice


Joined: 28 Jan 2014
Posts: 6

PostPosted: Wed Jun 01, 2016 2:20    Post subject: Reply with quote
These are the messages displayed via it's serial console when booting>

Code:

BUFFALO U-BOOT Ver 1.00
  == CPU:680MHz, DDR:340MHz, AHB:170MHz ==
AP96 (ar7100) U-boot 0.0.1
DRAM:  128 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 266k for U-Boot at: 83fbc000
Reserving 192k for malloc() at: 83f8c000
Reserving 44 Bytes for Board Info at: 83f8bfd4
Reserving 36 Bytes for Global Data at: 83f8bfb0
Reserving 128k for boot params() at: 83f6bfb0
Stack Pointer at: 83f6bf98
Now running in RAM - U-Boot at: 83fbc000
flash bank #0 found 16 MB flash [MX25L128-45E, blk:0x10000, sectors:256]
flash bank #1 found 16 MB flash [MX25L128-45E, blk:0x10000, sectors:256]
Flash: 32 MB
In:    serial
Out:   serial
Err:   serial
Memory Test
uboot use  83F6BFB0 - 84000000
Memory Test start(80000000) end(83F00000) size(03F00000)
Pattern 00000000  Writing...  Reading...
Memory Test start(84000000) end(88000000) size(04000000)
Pattern 00000000  Writing...  Reading...
Memory Test OK
### buf_ver=[1.00] U-Boot Ver.=[1.00]
### build_date(env)=[May 21 2012 - 08:29:08] build_date(bin)=[May 21 2012 - 08:29:08]
ag7100_enet_initialize...
Reading MAC Address from ENV(0x83f8c2c7)
Port 0, Neg Success
Port 1, Neg Success
Port 2, Neg Success
Port 3, Neg Success
eth0: Phy Specific Status=0010
eth0: Phy Specific Status=0010
eth0: Phy Specific Status=0010
eth0: Phy Specific Status=0010;▒eth0: 02:aa:bb:cc:dd:20
eth0 up
Reading MAC Address from ENV(0x83f8c2c7)
Port 4, Neg Success
eth1: Phy Specific Status=0010
eth1: 02:aa:bb:cc:dd:21
eth1 up
eth0  02:AA:BB:CC:DD:20
, eth1  02:AA:BB:CC:DD:21


enet0 port2 up
pll reg 0x18050010: 0x110000
tftp server(receive) go, waiting:60[sec]
Load address: 0x84000000
checksum bad
checksum bad
checksum bad
checksum bad

TftpServer Timeout;
no file was loaded.
change bootargs
console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),1152k@384k(uImage),6592k@1536k(rootfs),64k@320k(ART),64k@8128k(properties),8192k@8192k(flash1),16384k@16384k(flash2) mem=128M
## Booting image at bf060000 ...
   Image Name:   DD-WRT v24 Linux Kernel Image
   Created:      2014-02-13   8:24:36 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1195799 Bytes =  1.1 MB
   Load Address: 80060000
   Entry Point:  800646d0
   Verifying Checksum ... crc32_fw: bf060040 - bf183f56 (len:00123f17) calc...
crc32_fw: range1 bf060040 - bf183f56
OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 800646d0) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] booting platform Atheros AR7161 rev 2 (0xaa)
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x07ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x07ffffff]
[    0.000000] Primary instruction cache 64kB, 4-way, VIPT, I-cache aliases, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Linux version 3.9.11 (root@dd-wrt.buildserver) (gcc version 4.8.1 (OpenWrt/Linaro GCC 4.8-2013.04 r36550) ) #55 Tue Feb 11 14:04:47 CET 2014
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line: console=ttyS0,115200 root=1f02 rootfstype=squashfs noinitrd init=/sbin/init
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] __ex_table already sorted, skipping sort
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 125936k/131072k available (2413k kernel code, 5136k reserved, 706k data, 208k init, 0k highmem)
[    0.000000] NR_IRQS:80
[    0.000000] irq init done
[    0.000000] plat_time_init: plat time init done
[    0.000000] Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
[    0.060000] pid_max: default: 32768 minimum: 301
[    0.060000] Mount-cache hash table entries: 512
[    0.070000] NET: Registered protocol family 16
[    3.070000] registering PCI controller with io_map_base unset
[    3.080000] bio: create slab <bio-0> at 0
[    3.090000] PCI host bridge to bus 0000:00
[    3.090000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x16ffffff]
[    3.100000] pci_bus 0000:00: root bus resource [io  0x0000]
[    3.100000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    3.110000] found calibration data for slot 0 on 0xBF051000
[    3.120000] PCI: fixup device 0000:00:00.0
[    3.120000] found calibration data for slot 1 on 0xBF055000
[    3.130000] PCI: fixup device 0000:00:01.0
[    3.140000] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x1000ffff]
[    3.140000] pci 0000:00:01.0: BAR 0: assigned [mem 0x10010000-0x1001ffff]
[    3.150000] Switching to clocksource MIPS
[    3.150000] NET: Registered protocol family 2
[    3.160000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    3.160000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    3.170000] TCP: Hash tables configured (established 1024 bind 1024)
[    3.170000] TCP: reno registered
[    3.170000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    3.180000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    3.190000] NET: Registered protocol family 1
[    3.190000] gpio_proc: module loaded and /proc/gpio/ created
[    3.200000] Register LED Device
[    3.200000] wl0gpio_proc: module loaded and /proc/wl0gpio/ created
[    3.210000] AR7100 GPIOC major 0
[    3.210000] squashfs: version 3.0 (2006/03/15) Phillip Lougher
[    3.220000] msgmni has been set to 245
[    3.220000] alg: No test for stdrng (krng)
[    3.230000] io scheduler noop registered
[    3.230000] io scheduler deadline registered (default)
[    3.240000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    3.260000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 19) is a 16550A
[    3.270000] console [ttyS0] enabled, bootconsole disabled
[    3.270000] console [ttyS0] enabled, bootconsole disabled
[    3.280000] check spi banks 2
[    3.290000] 0000 : C2 20 18
[    3.290000] found MX25L128-45E device on bank#0
[    3.290000] 0000 : C2 20 18
[    3.300000] found MX25L128-45E device on bank#1
[    3.300000] SPI flash size total:32 Mbytes
[    3.390000]
[    3.390000] found squashfs at 184000
[    3.400000] Creating 9 MTD partitions on "ar7100-nor0":
[    3.410000] 0x000000000000-0x000000050000 : "RedBoot"
[    3.410000] 0x000000060000-0x000001fe0000 : "linux"
[    3.420000] 0x000000184000-0x000000ce0000 : "rootfs"
[    3.420000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    3.440000] mtd: partition "rootfs" set to be root filesystem
[    3.440000] 0x000000ce0000-0x000001fe0000 : "ddwrt"
[    3.450000] 0x000001fe0000-0x000001ff0000 : "nvram"
[    3.450000] 0x000001ff0000-0x000002000000 : "FIS directory"
[    3.460000] 0x000001ff0000-0x000002000000 : "board_config"
[    3.470000] 0x000000000000-0x000002000000 : "fullflash"
[    3.470000] 0x000000040000-0x000000050000 : "uboot-env"
[    3.480000] tun: Universal TUN/TAP device driver, 1.6
[    3.480000] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[    3.890000] PPP generic driver version 2.4.2
[    3.890000] PPP BSD Compression module registered
[    3.900000] PPP Deflate Compression module registered
[    3.900000] PPP MPPE Compression module registered
[    3.910000] NET: Registered protocol family 24
[    3.930000] u32 classifier
[    3.930000]     Performance counters on
[    3.930000]     input device check on
[    3.940000]     Actions configured
[    3.940000] Netfilter messages via NETLINK v0.30.
[    3.940000] nf_conntrack version 0.5.0 (1967 buckets, 7868 max)
[    3.950000] nf_conntrack_rtsp v0.6.21 loading
[    3.960000] nf_nat_rtsp v0.6.21 loading
[    3.960000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    3.970000] IPP2P v0.8.2 loading
[    3.970000] TCP: bic registered
[    3.970000] TCP: cubic registered
[    3.970000] TCP: westwood registered
[    3.980000] TCP: highspeed registered
[    3.980000] TCP: hybla registered
[    3.990000] TCP: htcp registered
[    3.990000] TCP: vegas registered
[    3.990000] TCP: veno registered
[    3.990000] TCP: scalable registered
[    4.000000] TCP: lp registered
[    4.000000] TCP: yeah registered
[    4.000000] TCP: illinois registered
[    4.010000] NET: Registered protocol family 17
[    4.010000] Bridge firewalling registered
[    4.020000] 8021q: 802.1Q VLAN Support v1.8
[    4.020000] searching for nvram
[    4.030000] nvram size = 0
[    4.110000] Atheros AR71xx hardware watchdog driver version 0.1.0
[    4.110000] ar71xx-wdt: timeout=15 secs (max=25) ref freq=170000000
[    4.120000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    4.130000] Freeing unused kernel memory: 208k freed
start service
starting Architecture code for wzrag300nh
starting hotplug
Jan  1 00:00:05 udevtrigger[266]: parse_config_file: can't open '/etc/udev/udev.conf' as config file: No such file or directory
start MSTP Daemon
1970-01-01 00:00:06 main: Sanity checks succeeded
done
load ag71xx or ag7100_mod Ethernet Driver
[    6.450000] switch0: Atheros AR8316 switch registered on ag71xx-mdio.0
[    6.450000] libphy: ag71xx_mdio: probed
[    6.460000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII
[    6.780000] ar8316: Using port 4 as switch port
[    8.300000] ag71xx ag71xx.0 eth0: connected to PHY at ag71xx-mdio.0:00 [uid=004dd041, driver=Atheros AR8216/AR8236/AR8316]
[    8.310000] eth1: Atheros AG71xx at 0xba000000, irq 5, mode:RGMII
[    8.630000] ar8316: Using port 4 as PHY
[   10.660000] ag71xx ag71xx.1 eth1: connected to PHY at ag71xx-mdio.0:04 [uid=004dd041, driver=Atheros AR8216/AR8236/AR8316]
load ATH 802.11 a/b/g Driver
insmod: ath_hal.ko: module not found
insmod: ath_pci.ko: module not found
insmod: ath_ahb.ko: module not found
load ATH9K 802.11n Driver
[   11.540000] Loading modules backported from Linux version master-2013-06-27-0-gdcfa6d5
[   11.550000] Backport generated by backports.git backports-20130617-4-ge3220f5
insmod: compat_firmware_class.ko: module not found
[   11.680000] cfg80211: Calling CRDA to update world regulatory domain
[   11.690000] cfg80211: World regulatory domain updated:
[   11.690000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   11.700000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   11.710000] cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   11.710000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   11.720000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   11.730000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   12.140000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=48
[   12.150000] PCI: Enabling device 0000:00:01.0 (0000 -> 0002)
[   12.170000] ieee80211 phy1: Atheros AR9280 Rev:2 mem=0xb0010000, irq=49
[   12.180000] cfg80211: Calling CRDA for country: US
[   12.190000] cfg80211: Regulatory domain changed to country: US
[   12.200000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   12.200000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[   12.210000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[   12.220000] cfg80211:   (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   12.230000] cfg80211:   (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   12.230000] cfg80211:   (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   12.240000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
[   12.250000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm)
[USB] checking...
umount: can't umount /mnt: No such file or directory
rmmod: usblp: No such file or directory
rmmod: printer: No such file or directory
rmmod: usb-storage: No such file or directory
rmmod: sr_mod: No such file or directory
rmmod: cdrom: No such file or directory
rmmod: sd_mod: No such file or directory
rmmod: scsi_wait_scan: No such file or directory
rmmod: scsi_mod: No such file or directory
rmmod: usb-ohci: No such file or directory
rmmod: ohci-hcd: No such file or directory
rmmod: uhci-hcd: No such file or directory
rmmod: usb-uhci: No such file or directory
rmmod: ehci-pci: No such file or directory
rmmod: ehci-platform: No such file or directory
rmmod: ehci-hcd: No such file or directory
rmmod: fsl-mph-dr-of: No such file or directory
rmmod: usbcore: No such file or directory
rmmod: usb-common: No such file or directory
rmmod: xfs: No such file or directory
rmmod: msdos: No such file or directory
rmmod: vfat: No such file or directory
rmmod: fat: No such file or directory
rmmod: nls_utf8: No such file or directory
rmmod: nls_iso8859-2: No such file or directory
rmmod: nls_iso8859-1: No such file or directory
rmmod: nls_cp437: No such file or directory
rmmod: nls_cp932: No such file or directory
rmmod: nls_cp936: No such file or directory
rmmod: nls_cp950: No such file or directory
rmmod: nls_base: No such file or directory
rmmod: ext3: No such file or directory
rmmod: jbd: No such file or directory
rmmod: ext2: No such file or directory
rmmod: mbcache: No such file or directory
rmmod: fuse: No such file or directory
[   13.370000] eth0: link up (1000Mbps/Full duplex)
ath9k deconfigure_single: phy0 ath0
ath9k deconfigure_single: phy1 ath1
CTL_set_cist_bridge_config: Got return code 0, -1
Couldn't find bridge with index 6

Couldn't change bridge bridge_forward_delay
killall: ea[   14.390000] eth0: link down
d: no process killed
[   14.430000] device eth0 entered promiscuous mode
/bin/sh: ead: not found
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
ath9k deconfigure_single: phy0 ath0
ath9k deconfigure_single: phy1 ath1
[   14.490000] cfg80211: Calling CRDA to update world regulatory domain
[   14.490000] cfg80211: World regulatory domain updated:
[   14.500000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   14.510000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.510000] cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   14.520000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   14.530000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.540000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.570000] cfg80211: Calling CRDA for country: US
[   14.580000] cfg80211: Regulatory domain changed to country: US
[   14.580000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   14.590000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[   14.600000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[   14.610000] cfg80211:   (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.620000] cfg80211:   (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.620000] cfg80211:   (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.630000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
[   14.640000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm)
ath9k configure_single: phy0 ath0
/bin/sh: can't create /sys/kernel/debug/ieee80211/phy0/ath9k/chanbw: nonexistent directory
527:ath0
call mac80211autochannel for interface: ath0
[   16.400000] eth0: link up (1000Mbps/Full duplex)
[   16.400000] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
[   16.410000] br0: port 1(eth0) entered forwarding state
[   16.420000] br0: port 1(eth0) entered forwarding state
freq:2412 qual:83 noise:-95
freq:2417 qual:46 noise:-95
freq:2422 qual:69 noise:-95
freq:2427 qual:69 noise:-95
freq:2432 qual:45 noise:-95
freq:2437 qual:90 noise:-95
freq:2442 qual:45 noise:-95
freq:2447 qual:62 noise:-95
freq:2452 qual:60 noise:-95
freq:2457 qual:35 noise:-95
freq:2462 qual:89 noise:-95
mac80211autochannel interface: ath0 frequency: 2437
setup ath0 B0:C7:45:76:0B:D8
setup vifs ath0.1 1
setup vap 1 bss ath0.1
setup ath0.1 B2:C7:45:76:0B:D8
Configuration file: /tmp/ath0_hostap.conf
[   17.690000] device ath0 entered promiscuous mode
Using interface ath0 with hwaddr b0:c7:45:76:0b:d8 and ssid "IDEXXw1"
random: Only 11/20 bytes of strong random data available from /dev/random
random: Not enough entropy pool available for secure operations
WPA: Not enough entropy in random pool for secure operations - update keys later when the first stat[   18.100000] br0: port 2(ath0) entered forwarding state
ion connects
[   18.110000] br0: port 2(ath0) entered forwarding state
[   18.130000] device ath0.1 entered promiscuous mode
[   18.130000] br0: port 3(ath0.1) entered forwarding state
[   18.140000] br0: port 3(ath0.1) entered forwarding state
Using interface ath0.1 with hwaddr b2:c7:45:76:0b:d8 and ssid "LabStation Guest"
random: Cannot read from /dev/random: Resource temporarily unavailable
random: Only 11/20 bytes of strong random data available from /dev/random
random: Not enough entropy pool available for secure operations
WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects
ath9k configure_single: phy1 ath1
/bin/sh: can't create /sys/kernel/debug/ieee80211/phy1/ath9k/chanbw: nonexistent directory
527:ath1
call mac80211autochannel for interface: ath1
freq:5180 qual:86 noise:-95
freq:5200 qual:95 noise:-95
freq:5220 qual:95 noise:-95
freq:5240 qual:95 noise:-95
freq:5260 qual:95 noise:-95
freq:5280 qual:95 noise:-95
freq:5300 qual:95 noise:-95
freq:5320 qual:95 noise:-95
freq:5500 qual:95 noise:-95
freq:5520 qual:95 noise:-95
freq:5540 qual:95 noise:-95
freq:5560 qual:95 noise:-95
freq:5580 qual:95 noise:-95
freq:5660 qu[   23.330000] device ath1 entered promiscuous mode
al:95 noise:-95
freq:5680 qual:95 noise:-95
freq:5700 qual:95 noise:-95
freq:5745 qual:95 noise:-95
freq:5765 qual:95 noise:-95
freq:5785 qual:95 noise:-95
freq:5805 qual:95 noise:-95
freq:5825 qual:95 noise:-95
mac80211autochannel interface: ath1 frequency: 5200
setup ath1 B0:C7:45:76:0B:D9
Configuration file: /tmp/ath1_hostap.conf
Using interface ath1 with hwaddr b0:c7:45:76:0b:d9 and ssid "IDEXXw2"
random: Cannot read from /dev/random: Resource temporarily unavailable
random: Only 0/20 bytes of strong random data available from /dev/random
random: Not enough entropy pool available for secure operations
WPA: Not enough entropy in ra[   23.750000] br0: port 4(ath1) entered forwarding state
ndom pool for se[   23.760000] br0: port 4(ath1) entered forwarding state
cure operations - update keys later when the first station connects
killall: roaming_daemon: no process killed
rmmod: bonding: No such file or directory
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
cp: can't stat '/tmp/mycron.d/*': No such file or directory
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
nvram lock, waiting....
rmmod: n_hdlc: No such file or directory
[   24.400000] device eth1 entered promiscuous mode
[   24.430000] device eth1 left promiscuous mode
ath9k radio 1: phy0 ath0
ath9k radio 1: phy1 ath1
/bin/sh: /opt/etc/init.d/rcS: not found
/bin/sh: /jffs/etc/init.d/rcS: not found
/bin/sh: /mmc/etc/init.d/rcS: not found
nvram lock, waiting....
cp: can't stat '/jffs/mycron.d/*': No such file or directory
cp: can't stat '/mmc/mycron.d/*': No such file or directory
SIOCGIFFLAGS: No such device
The Milkfish Router Services
ERROR: Necessary service setting not found: milkfish_username - aborting.
nvram lock, waiting....
The Milkfish Router Services
Restoring SIP ddsubscriber database from NVRAM...
Empty.
The Milkfish Router Services
Restoring SIP ddaliases database from NVRAM...
Empty.
killall: proxywatchdog.sh: no process killed
umount: can't umount /mnt/smbshare: No such file or directory
rmmod: cifs: No such file or directory
rmmod: fscache: No such file or directory
killall: schedulerb.sh: no process killed
killall: shatd: no process killed
killall: wdswatchdog.sh: no process killed
rmmod: ipt_webstr: No such file or directory
rmmod: ipt_layer7: No such file or directory
rmmod: xt_layer7: No such file or directory
rmmod: ipt_ipp2p: No such file or directory
rmmod: xt_ipp2p: No such file or directory
rmmod: xt_physdev: No such file or directory
rmmod: xt_IMQ: No such file or directory
rmmod: ipt_IMQ: No such file or directory
rmmod: imq: No such file or directory
rmmod: sch_codel: No such file or directory
rmmod: sch_fq_codel: No such file or directory
[   31.440000] br0: port 1(eth0) entered forwarding state
[   33.120000] br0: port 2(ath0) entered forwarding state
[   33.160000] br0: port 3(ath0.1) entered forwarding state
[   38.800000] br0: port 4(ath1) entered forwarding state
connect: Network is unreachable
connect: Network is unreachable
connect: Network is unreachable
gethostbyname: Network is unreachable

DD-WRT v24-sp2 std (c) 2013 NewMedia-NET GmbH
Release: 02/13/14 (SVN revision: 22084)

DD-WRT login:




Any help is greatly appreciated... I hate that this firmware is locked out of usage!! Mad
jacubillo
DD-WRT Novice


Joined: 28 Jan 2014
Posts: 6

PostPosted: Wed Jun 01, 2016 2:56    Post subject: Reply with quote
My enviroment variables>

Code:

ar7100> printenv
bootargs=console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),1152k@384k(uImage),6592k@1536k(rootfs),64k@320k(ART),64k@8128k(properties),8192k@8192k(flash1),16384k@16384k(flash2)
bootcmd=bootm BF060000
baudrate=115200
ethaddr=02:AA:BB:CC:DD:20
fw_eaddr=BF060000 BEFFFFFF
uboot_eaddr=BF000000 BF03FFFF
u_fw=erase $fw_eaddr; cp.fw $fileaddr BF060000 $filesize; bootm BF060000;
ut_fw=tftp $tmp_ram firmware.bin; erase $fw_eaddr; cp.fw $fileaddr BF060000 $filesize; bootm BF060000;
ut_uboot=tftp $tmp_ram u-boot.bin; protect off $uboot_eaddr; erase $uboot_eaddr; cp.b $fileaddr BF000000 $filesize;
melco_id=RD_BB12049
hw_rev=0
uboot_ethaddr=02:AA:BB:CC:DD:20
DEF-p_wireless_ath00_11bg-authmode=psk
DEF-p_wireless_ath00_11bg-crypto=tkip+aes
DEF-p_wireless_ath00_11bg-authmode_ex=mixed-psk
DEF-p_wireless_ath10_11a-authmode=psk
DEF-p_wireless_ath10_11a-crypto=tkip+aes
DEF-p_wireless_ath10_11a-authmode_ex=mixed-psk
custom_id=0
buf_ver=1.00
region=US
tmp_ram=84000000
tmp_bottom=88000000
build_date=May 21 2012 - 08:29:08
DEF-p_wireless_ath00_11bg-wpapsk=56320732
DEF-p_wireless_ath10_11a-wpapsk=56320732
pincode=12186181
buf_crc=A16CCA9A
serverip=192.168.222.11
ipaddr=192.168.222.1
accept_open_rt_fmt=1
tftp_wait=60
stdin=serial
stdout=serial
stderr=serial
loadaddr=84000000
ethact=eth0

Environment size: 1345/65532 bytes
jacubillo
DD-WRT Novice


Joined: 28 Jan 2014
Posts: 6

PostPosted: Thu Jun 02, 2016 0:06    Post subject: Reply with quote
So... some progress... I guess...

I installed a tfp application and was able to transfer images to the router. The tftp software is "Tftpd64 by Ph. Jounin"

From the serial console I use the tftp command to "Boot image via network". The image is the stock buffalo firmware .enc that has been renamed to just "buf" since that´s what the tftp command looks for by default. I then bootm from address 0x84000000 . Why 0x84000000??? because that´s what I can see from the tftp transfer.. I have no idea what it actually means.. This is not my area and I´m solving this blindly... lol

Code:

ar7100> tftp
Using eth0 device
TFTP from server 192.168.222.11; our IP address is 192.168.222.1
Filename 'buf'.
Load address: 0x84000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ##########
done
Bytes transferred = 28336632 (1b061f8 hex)
ar7100> bootm 0x84000000
change bootargs
console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),1152k@384k(uImage),6592k@1536k(rootfs),64k@320k(ART),64k@8128k(properties),8192k@8192k(flash1),16384k@16384k(flash2) mem=128M
## Booting image at 84000000 ...
Bad Magic Number
 # LED(0x2) Blink[2] (Please press 'Ctrl+c' to stop)

Bad Header Checksum
 # LED(0x2) Blink[2] (Please press 'Ctrl+c' to stop)

   Image Name:
   Created:      1970-01-01   0:03:05 UTC
   Image Type:   Invalid CPU Invalid OS Standalone Program (unknown compression)
   Data Size:    28336376 Bytes = 27 MB
   Load Address: dc4f05eb
   Entry Point:  73746172
   Verifying Checksum ... crc32_fw: 84000040 - 85b06137 (len:01b060f8) calc...
Bad Data CRC
 # LED(0x2) Blink[2] (Please press 'Ctrl+c' to stop)

OK
Unsupported Architecture 0x0
 # LED(0x2) Blink[2] (Please press 'Ctrl+c' to stop)

Unimplemented compression type 251
 # LED(0x2) Blink[2] (Please press 'Ctrl+c' to stop)

OK



I get all those errors... the Red LED starts to blink... and after the final OK the router stalls and I have to powercycle it.
jwoods
DD-WRT User


Joined: 13 Mar 2016
Posts: 403

PostPosted: Thu Jun 02, 2016 0:44    Post subject: Reply with quote
After it completes the load and writes the file, it should copy the file to flash, and then reboot the router...all on its own.

Let it run to completion...might take a few minutes.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7209
Location: Columbus, Ohio

PostPosted: Thu Jun 02, 2016 1:19    Post subject: Reply with quote
I have used this guide to un brick several buffalo routers, of course changing a few steps according to which router I was using it on.
http://scarygliders.net/2010/02/23/hacking-around-the-japanese-buffalo-wzr-hp-g300n/

_________________
I am far from a guru, I'm barely a novice.
jacubillo
DD-WRT Novice


Joined: 28 Jan 2014
Posts: 6

PostPosted: Thu Jun 02, 2016 3:00    Post subject: Reply with quote
@ jwoods:
Thanks for the tip... but I tried it and after 30mins the tftp command only uploaded the file... no flash copy or reboot ...

@ malachi:
I´m following the guide... thanks for that!

So far:

Guide says the magic number is 27 05 19 56... and that it should be at the beggining of the firmware file.. Just to check this, I found some commands for the serial console using its help:

printenv shows a "bootm BF060000" so I did a memory display of that block (page?) of memory:

ar7100> md BF060000
bf060000: 27051956 03ec29b8 52fc8144 00123f17 '..V..).R..D..?.
bf060010: 80060000 800646d0 2a9300a9 05050203 ......F.*.......
bf060020: 44442d57 52542076 3234204c 696e7578 DD-WRT v24 Linux
bf060030: 204b6572 6e656c20 496d6167 65000000 Kernel Image...
bf060040: 6d000080 00184733 00000000 0000006f m.....G3.......o
bf060050: fdffffa3 b77f4c34 f7744bb6 597aade6 ......L4.tK.Yz..
bf060060: eccd4460 336a114f 8f35d779 93883043 ..D`3j.O.5.y..0C
bf060070: 55e982b3 962f5564 0e339e69 cc5d694d U..../Ud.3.i.]iM
bf060080: c0f67a09 246811dd 96521ec7 2ba0977b ..z.$h...R..+..{
bf060090: 551b1068 ee3493e0 7b58b446 37746d8d U..h.4..{X.F7tm.
bf0600a0: ab7c9f8d bb0ce1bc cc587c03 964b789a .|.......X|..Kx.
bf0600b0: 5892c98a d420f062 4fe7cca5 efbd7dfa X.... .bO.....}.
bf0600c0: f26a72cd 1bd52706 9166d41c 61d79bca .jr...'..f..a...
bf0600d0: a51cce7d 51ba9ecc d004b0d3 3b0f325e ...}Q.......;.2^
bf0600e0: d5d4e754 d00bc7a5 573ef22a 2435c15c ...T....W>.*$5.\
bf0600f0: 81acd706 ad1fccda e3d11f37 4619ee73 ...........7F..s
ar7100>

Yes!! There it is! The 27 05 19 56 magic number!
Now...

Looking with a downloaded hex editor (HxD) I opened all the bin files I had... some are from buffalo website.. others from ddwrt...
One of them had the magic number in it!:

48 44 52 30 1C 20 1A 01 02 3E 9A B7 01 00 01 00 HDR0. ...>š·....
1C 00 00 00 00 00 00 00 00 00 00 00 27 05 19 56 ............'..V

So.. just as the guide says... I deleted everything prior to the 27 and saved the new file as "buf"

Lets try this again:

ar7100> tftp
Using eth0 device
TFTP from server 192.168.222.11; our IP address is 192.168.222.1
Filename 'buf'.
Load address: 0x84000000
Loading: #################################################################
....Shortening...
#####################################
done
Bytes transferred = 18489344 (11a2000 hex)
ar7100> iminfo

## Checking Image at 84000000 ...
Image Name: MIPS Linux Kernel Image
Created: 2013-03-25 3:55:58 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1149164 Bytes = 1.1 MB
Load Address: 80002000
Entry Point: 802435e0
Verifying Checksum ... crc32_fw: 84000040 - 8411892b (len:001188ec) calc...
OK
ar7100>

It WORKS!!!

Now.. checking my env variables:

tmp_ram=84000000 (where u-boot will download tftp’d images to)
tmp_bottom=88000000 ()
fw_eaddr=BF060000 BEFFFFFF (the area of flash memory which u-boot will erase before copying any tftp’ed images to.)
region=US
bootm BF060000 (Where the WZR has it´s firmware it boots from permanently stored)

Bytes transferred = 18489344 (11a2000 hex)

So now... lets erase our flash:

ar7100> erase BF060000 BEFFFFFF
search sector 0xbf060000 - 0xbeffffff
BANK #1 (6 : 255)
000 PPPP.Poooooooooooooooooooooooooo
032 oooooooooooooooooooooooooooooooo
064 oooooooooooooooooooooooooooooooo
096 oooooooooooooooooooooooooooooooo
128 oooooooooooooooooooooooooooooooo
160 oooooooooooooooooooooooooooooooo
192 oooooooooooooooooooooooooooooooo
224 oooooooooooooooooooooooooooooooo
BANK #2 (0 : 255)
000 oooooooooooooooooooooooooooooooo
032 oooooooooooooooooooooooooooooooo
064 oooooooooooooooooooooooooooooooo
096 oooooooooooooooooooooooooooooooo
128 oooooooooooooooooooooooooooooooo
160 oooooooooooooooooooooooooooooooo
192 oooooooooooooooooooooooooooooooo
224 oooooooooooooooooooooooooooooooo

First 0x6 last 0xff sector size 0x10000 255

First 0x0 last 0xff sector size 0x10000 255
Erased 506 sectors

And confirm:

ar7100> fli

Bank # 1:
flash-id : C2201800
Size: 16384 KB in 256 Sectors
Sector Start Addresses:
BF000000 RO BF010000 RO BF020000 RO BF030000 RO BF040000
BF050000 RO BF060000 E BF070000 E BF080000 E BF090000 E
BF0A0000 E BF0B0000 E BF0C0000 E BF0D0000 E BF0E0000 E
BF0F0000 E BF100000 E BF110000 E BF120000 E BF130000 E
BF140000 E BF150000 E BF160000 E BF170000 E BF180000 E
BF190000 E BF1A0000 E BF1B0000 E BF1C0000 E BF1D0000 E
BF1E0000 E BF1F0000 E BF200000 E BF210000 E BF220000 E
BF230000 E BF240000 E BF250000 E BF260000 E BF270000 E
BF280000 E BF290000 E BF2A0000 E BF2B0000 E BF2C0000 E
BF2D0000 E BF2E0000 E BF2F0000 E BF300000 E BF310000 E
BF320000 E BF330000 E BF340000 E BF350000 E BF360000 E
BF370000 E BF380000 E BF390000 E BF3A0000 E BF3B0000 E
BF3C0000 E BF3D0000 E BF3E0000 E BF3F0000 E BF400000 E
BF410000 E BF420000 E BF430000 E BF440000 E BF450000 E
BF460000 E BF470000 E BF480000 E BF490000 E BF4A0000 E
BF4B0000 E BF4C0000 E BF4D0000 E BF4E0000 E BF4F0000 E
BF500000 E BF510000 E BF520000 E BF530000 E BF540000 E
BF550000 E BF560000 E BF570000 E BF580000 E BF590000 E
BF5A0000 E BF5B0000 E BF5C0000 E BF5D0000 E BF5E0000 E
BF5F0000 E BF600000 E BF610000 E BF620000 E BF630000 E
BF640000 E BF650000 E BF660000 E BF670000 E BF680000 E
BF690000 E BF6A0000 E BF6B0000 E BF6C0000 E BF6D0000 E
BF6E0000 E BF6F0000 E BF700000 E BF710000 E BF720000 E
BF730000 E BF740000 E BF750000 E BF760000 E BF770000 E
BF780000 E BF790000 E BF7A0000 E BF7B0000 E BF7C0000 E
BF7D0000 E BF7E0000 E BF7F0000 E BF800000 E BF810000 E
BF820000 E BF830000 E BF840000 E BF850000 E BF860000 E
BF870000 E BF880000 E BF890000 E BF8A0000 E BF8B0000 E
BF8C0000 E BF8D0000 E BF8E0000 E BF8F0000 E BF900000 E
BF910000 E BF920000 E BF930000 E BF940000 E BF950000 E
BF960000 E BF970000 E BF980000 E BF990000 E BF9A0000 E
BF9B0000 E BF9C0000 E BF9D0000 E BF9E0000 E BF9F0000 E
BFA00000 E BFA10000 E BFA20000 E BFA30000 E BFA40000 E
BFA50000 E BFA60000 E BFA70000 E BFA80000 E BFA90000 E
BFAA0000 E BFAB0000 E BFAC0000 E BFAD0000 E BFAE0000 E
BFAF0000 E BFB00000 E BFB10000 E BFB20000 E BFB30000 E
BFB40000 E BFB50000 E BFB60000 E BFB70000 E BFB80000 E
BFB90000 E BFBA0000 E BFBB0000 E BFBC0000 E BFBD0000 E
BFBE0000 E BFBF0000 E BFC00000 E BFC10000 E BFC20000 E
BFC30000 E BFC40000 E BFC50000 E BFC60000 E BFC70000 E
BFC80000 E BFC90000 E BFCA0000 E BFCB0000 E BFCC0000 E
BFCD0000 E BFCE0000 E BFCF0000 E BFD00000 E BFD10000 E
BFD20000 E BFD30000 E BFD40000 E BFD50000 E BFD60000 E
BFD70000 E BFD80000 E BFD90000 E BFDA0000 E BFDB0000 E
BFDC0000 E BFDD0000 E BFDE0000 E BFDF0000 E BFE00000 E
BFE10000 E BFE20000 E BFE30000 E BFE40000 E BFE50000 E
BFE60000 E BFE70000 E BFE80000 E BFE90000 E BFEA0000 E
BFEB0000 E BFEC0000 E BFED0000 E BFEE0000 E BFEF0000 E
BFF00000 E BFF10000 E BFF20000 E BFF30000 E BFF40000 E
BFF50000 E BFF60000 E BFF70000 E BFF80000 E BFF90000 E
BFFA0000 E BFFB0000 E BFFC0000 E BFFD0000 E BFFE0000 E
BFFF0000 E

Bank # 2:
flash-id : C2201800
Size: 16384 KB in 256 Sectors
Sector Start Addresses:
BE000000 E BE010000 E BE020000 E BE030000 E BE040000 E
BE050000 E BE060000 E BE070000 E BE080000 E BE090000 E
BE0A0000 E BE0B0000 E BE0C0000 E BE0D0000 E BE0E0000 E
BE0F0000 E BE100000 E BE110000 E BE120000 E BE130000 E
BE140000 E BE150000 E BE160000 E BE170000 E BE180000 E
BE190000 E BE1A0000 E BE1B0000 E BE1C0000 E BE1D0000 E
BE1E0000 E BE1F0000 E BE200000 E BE210000 E BE220000 E
BE230000 E BE240000 E BE250000 E BE260000 E BE270000 E
BE280000 E BE290000 E BE2A0000 E BE2B0000 E BE2C0000 E
BE2D0000 E BE2E0000 E BE2F0000 E BE300000 E BE310000 E
BE320000 E BE330000 E BE340000 E BE350000 E BE360000 E
BE370000 E BE380000 E BE390000 E BE3A0000 E BE3B0000 E
BE3C0000 E BE3D0000 E BE3E0000 E BE3F0000 E BE400000 E
BE410000 E BE420000 E BE430000 E BE440000 E BE450000 E
BE460000 E BE470000 E BE480000 E BE490000 E BE4A0000 E
BE4B0000 E BE4C0000 E BE4D0000 E BE4E0000 E BE4F0000 E
BE500000 E BE510000 E BE520000 E BE530000 E BE540000 E
BE550000 E BE560000 E BE570000 E BE580000 E BE590000 E
BE5A0000 E BE5B0000 E BE5C0000 E BE5D0000 E BE5E0000 E
BE5F0000 E BE600000 E BE610000 E BE620000 E BE630000 E
BE640000 E BE650000 E BE660000 E BE670000 E BE680000 E
BE690000 E BE6A0000 E BE6B0000 E BE6C0000 E BE6D0000 E
BE6E0000 E BE6F0000 E BE700000 E BE710000 E BE720000 E
BE730000 E BE740000 E BE750000 E BE760000 E BE770000 E
BE780000 E BE790000 E BE7A0000 E BE7B0000 E BE7C0000 E
BE7D0000 E BE7E0000 E BE7F0000 E BE800000 E BE810000 E
BE820000 E BE830000 E BE840000 E BE850000 E BE860000 E
BE870000 E BE880000 E BE890000 E BE8A0000 E BE8B0000 E
BE8C0000 E BE8D0000 E BE8E0000 E BE8F0000 E BE900000 E
BE910000 E BE920000 E BE930000 E BE940000 E BE950000 E
BE960000 E BE970000 E BE980000 E BE990000 E BE9A0000 E
BE9B0000 E BE9C0000 E BE9D0000 E BE9E0000 E BE9F0000 E
BEA00000 E BEA10000 E BEA20000 E BEA30000 E BEA40000 E
BEA50000 E BEA60000 E BEA70000 E BEA80000 E BEA90000 E
BEAA0000 E BEAB0000 E BEAC0000 E BEAD0000 E BEAE0000 E
BEAF0000 E BEB00000 E BEB10000 E BEB20000 E BEB30000 E
BEB40000 E BEB50000 E BEB60000 E BEB70000 E BEB80000 E
BEB90000 E BEBA0000 E BEBB0000 E BEBC0000 E BEBD0000 E
BEBE0000 E BEBF0000 E BEC00000 E BEC10000 E BEC20000 E
BEC30000 E BEC40000 E BEC50000 E BEC60000 E BEC70000 E
BEC80000 E BEC90000 E BECA0000 E BECB0000 E BECC0000 E
BECD0000 E BECE0000 E BECF0000 E BED00000 E BED10000 E
BED20000 E BED30000 E BED40000 E BED50000 E BED60000 E
BED70000 E BED80000 E BED90000 E BEDA0000 E BEDB0000 E
BEDC0000 E BEDD0000 E BEDE0000 E BEDF0000 E BEE00000 E
BEE10000 E BEE20000 E BEE30000 E BEE40000 E BEE50000 E
BEE60000 E BEE70000 E BEE80000 E BEE90000 E BEEA0000 E
BEEB0000 E BEEC0000 E BEED0000 E BEEE0000 E BEEF0000 E
BEF00000 E BEF10000 E BEF20000 E BEF30000 E BEF40000 E
BEF50000 E BEF60000 E BEF70000 E BEF80000 E BEF90000 E
BEFA0000 E BEFB0000 E BEFC0000 E BEFD0000 E BEFE0000 E
BEFF0000 E
ar7100>

Let´s go ahead and copy the firmware:

ar7100> cp.b 84000000 BF060000 11a2000
Copy to Flash...
Copy 18489344 byte to Flash...
write data: 84000000 --> bf060000 (len:fa0000)
write data: 84fa0000 --> c0000000 (len:202000)
done

And boot it:

ar7100> bootm BF060000
change bootargs
console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),1152k@384k(uImage),6592k@1536k(rootfs),64k@320k(ART),64k@8128k(properties),8192k@8192k(flash1),16384k@16384k(flash2) mem=128M
## Booting image at bf060000 ...
Image Name: MIPS Linux Kernel Image
Created: 2013-03-25 3:55:58 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1149164 Bytes = 1.1 MB
Load Address: 80002000
Entry Point: 802435e0
Verifying Checksum ... crc32_fw: bf060040 - bf17892b (len:001188ec) calc...
crc32_fw: range1 bf060040 - bf17892b
OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802435e0) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

[ 0.000000] bootconsole [early0] enabled
[ 0.000000] booting platform Atheros AR7161 rev 2 (0xaa)
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x07ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x07ffffff]
[ 0.000000] Primary instruction cache 64kB, 4-way, VIPT, I-cache aliases, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Linux version 3.5.7 (root@dd-wrt) (gcc version 4.7.3 20121205 (prerelease) (Linaro GCC 4.7-2012.12) ) #6124 Mon Mar 25 04:51:00 CET 2013
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512
[ 0.000000] Kernel command line: console=ttyS0,115200 root=1f02 rootfstype=squashfs noinitrd init=/sbin/init
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] __ex_table already sorted, skipping sort
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 126432k/131072k available (2343k kernel code, 4640k reserved, 660k data, 168k init, 0k highmem)
[ 0.000000] NR_IRQS:80
[ 0.000000] irq init done
[ 0.000000] plat_time_init: plat time init done
[ 0.000000] Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
[ 0.060000] pid_max: default: 32768 minimum: 301
[ 0.060000] Mount-cache hash table entries: 512
[ 0.070000] NET: Registered protocol family 16
[ 3.070000] registering PCI controller with io_map_base unset
[ 3.080000] bio: create slab <bio-0> at 0
[ 3.090000] PCI host bridge to bus 0000:00
[ 3.090000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x16ffffff]
[ 3.100000] pci_bus 0000:00: root bus resource [io 0x0000]
[ 3.100000] found calibration data for slot 0 on 0xBF051000
[ 3.110000] PCI: fixup device 0000:00:00.0
[ 3.120000] found calibration data for slot 1 on 0xBF055000
[ 3.130000] PCI: fixup device 0000:00:01.0
[ 3.130000] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x1000ffff]
[ 3.140000] pci 0000:00:01.0: BAR 0: assigned [mem 0x10010000-0x1001ffff]
[ 3.140000] Switching to clocksource MIPS
[ 3.150000] NET: Registered protocol family 2
[ 3.150000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 3.160000] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[ 3.170000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
[ 3.170000] TCP: Hash tables configured (established 4096 bind 4096)
[ 3.180000] TCP: reno registered
[ 3.180000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 3.190000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 3.190000] NET: Registered protocol family 1
[ 3.200000] gpio_proc: module loaded and /proc/gpio/ created
[ 3.200000] Register LED Device
[ 3.210000] wl0gpio_proc: module loaded and /proc/wl0gpio/ created
[ 3.210000] AR7100 GPIOC major 0
[ 3.220000] squashfs: version 3.0 (2006/03/15) Phillip Lougher
[ 3.220000] msgmni has been set to 246
[ 3.230000] alg: No test for stdrng (krng)
[ 3.230000] io scheduler noop registered
[ 3.240000] io scheduler deadline registered (default)
[ 3.240000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 3.270000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 19) is a 16550A
[ 3.280000] console [ttyS0] enabled, bootconsole disabled
[ 3.280000] console [ttyS0] enabled, bootconsole disabled
[ 3.290000] check spi banks 2
[ 3.290000] 0000 : C2 20 18
[ 3.290000] found MX25L128-45E device on bank#0
[ 3.300000] 0000 : C2 20 18
[ 3.300000] found MX25L128-45E device on bank#1
[ 3.310000] SPI flash size total:32 Mbytes
[ 3.400000]
[ 3.400000] found squashfs at 179000
[ 3.400000] Creating 9 MTD partitions on "ar7100-nor0":
[ 3.410000] 0x000000000000-0x000000050000 : "RedBoot"
[ 3.410000] 0x000000060000-0x000001fe0000 : "linux"
[ 3.420000] 0x000000179000-0x000001210000 : "rootfs"
[ 3.430000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[ 3.440000] mtd: partition "rootfs" set to be root filesystem
[ 3.450000] 0x000001210000-0x000001fe0000 : "ddwrt"
[ 3.450000] 0x000001fe0000-0x000001ff0000 : "nvram"
[ 3.460000] 0x000001ff0000-0x000002000000 : "FIS directory"
[ 3.460000] 0x000001ff0000-0x000002000000 : "board_config"
[ 3.470000] 0x000000000000-0x000002000000 : "fullflash"
[ 3.480000] 0x000000040000-0x000000050000 : "uboot-env"
[ 3.480000] tun: Universal TUN/TAP device driver, 1.6
[ 3.490000] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 3.890000] PPP generic driver version 2.4.2
[ 3.900000] PPP BSD Compression module registered
[ 3.900000] PPP Deflate Compression module registered
[ 3.910000] PPP MPPE Compression module registered
[ 3.910000] NET: Registered protocol family 24
[ 3.930000] u32 classifier
[ 3.930000] Performance counters on
[ 3.940000] input device check on
[ 3.940000] Actions configured
[ 3.950000] Netfilter messages via NETLINK v0.30.
[ 3.950000] nf_conntrack version 0.5.0 (1975 buckets, 7900 max)
[ 3.960000] nf_conntrack_rtsp v0.6.21 loading
[ 3.960000] nf_nat_rtsp v0.6.21 loading
[ 3.970000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 3.970000] IPP2P v0.8.2 loading
[ 3.970000] TCP: bic registered
[ 3.980000] TCP: cubic registered
[ 3.980000] TCP: westwood registered
[ 3.980000] TCP: highspeed registered
[ 3.990000] TCP: hybla registered
[ 3.990000] TCP: htcp registered
[ 3.990000] TCP: vegas registered
[ 4.000000] TCP: veno registered
[ 4.000000] TCP: scalable registered
[ 4.000000] TCP: lp registered
[ 4.010000] TCP: yeah registered
[ 4.010000] TCP: illinois registered
[ 4.010000] NET: Registered protocol family 17
[ 4.020000] Bridge firewalling registered
[ 4.020000] 8021q: 802.1Q VLAN Support v1.8
[ 4.030000] searching for nvram
[ 4.030000] nvram size = 0
[ 4.110000] Broken NVRAM found, recovering it (Magic FFFFFFFF)
[ 4.120000] Atheros AR71xx hardware watchdog driver version 0.1.0
[ 4.130000] ar71xx-wdt: timeout=15 secs (max=25) ref freq=170000000
[ 4.140000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[ 4.140000] Freeing unused kernel memory: 168k freed
start service
starting Architecture code for wzrag300nh
starting hotplug
Jan 1 00:00:05 udevtrigger[285]: parse_config_file: can't open '/etc/udev/udev.conf' as config file: No such file or directory
start MSTP Daemon
1970-01-01 00:00:06 main: Sanity checks succeeded
done
load ag71xx or ag7100_mod Ethernet Driver
[ 6.440000] switch0: Atheros AR8316 switch registered on ag71xx-mdio.0
[ 6.440000] ag71xx_mdio: probed
[ 6.450000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII
[ 6.760000] ar8316: Using port 4 as switch port
[ 8.280000] ag71xx ag71xx.0: eth0: connected to PHY at ag71xx-mdio.0:00 [uid=004dd041, driver=Atheros AR8216/AR8236/AR8316]
[ 8.290000] eth1: Atheros AG71xx at 0xba000000, irq 5, mode:RGMII
[ 8.610000] ar8316: Using port 4 as PHY
[ 10.640000] ag71xx ag71xx.1: eth1: connected to PHY at ag71xx-mdio.0:04 [uid=004dd041, driver=Atheros AR8216/AR8236/AR8316]
load ATH 802.11 a/b/g Driver
insmod: ath_hal.ko: module not found
insmod: ath_pci.ko: module not found
insmod: ath_ahb.ko: module not found
load ATH9K 802.11n Driver
[ 11.530000] Compat-drivers backport release: compat-drivers-2013-01-21-1
[ 11.540000] Backport based on wireless-testing.git master-2013-02-22
[ 11.540000] compat.git: wireless-testing.git
insmod: compat_firmware_class.ko: module not found
[ 11.670000] cfg80211: Calling CRDA to update world regulatory domain
[ 11.670000] cfg80211: World regulatory domain updated:
[ 11.680000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 11.690000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 11.690000] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 11.700000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 11.710000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 11.720000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 12.200000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=48
[ 12.210000] PCI: Enabling device 0000:00:01.0 (0000 -> 0002)
[ 12.260000] ieee80211 phy1: Atheros AR9280 Rev:2 mem=0xb0010000, irq=49
[ 12.270000] cfg80211: Calling CRDA for country: US
[ 12.280000] cfg80211: Regulatory domain changed to country: US
[ 12.280000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 12.290000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[ 12.300000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[ 12.310000] cfg80211: (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 12.320000] cfg80211: (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 12.320000] cfg80211: (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 12.330000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
[ 12.340000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm)
[USB] checking...
umount: can't umount /mnt: No such file or directory
rmmod: usblp: No such file or directory
rmmod: printer: No such file or directory
rmmod: usb-storage: No such file or directory
rmmod: sr_mod: No such file or directory
rmmod: cdrom: No such file or directory
rmmod: sd_mod: No such file or directory
rmmod: scsi_wait_scan: No such file or directory
rmmod: scsi_mod: No such file or directory
rmmod: usb-ohci: No such file or directory
rmmod: ohci-hcd: No such file or directory
rmmod: uhci-hcd: No such file or directory
rmmod: usb-uhci: No such file or directory
rmmod: ehci-pci: No such file or directory
rmmod: ehci-platform: No such file or directory
rmmod: ehci-hcd: No such file or directory
rmmod: usbcore: No such file or directory
rmmod: usb-common: No such file or directory
rmmod: xfs: No such file or directory
rmmod: msdos: No such file or directory
rmmod: vfat: No such file or directory
rmmod: fat: No such file or directory
rmmod: nls_utf8: No such file or directory
rmmod: nls_iso8859-2: No such file or directory
rmmod: nls_iso8859-1: No such file or directory
rmmod: nls_cp437: No such file or directory
rmmod: nls_cp932: No such file or directory
rmmod: nls_cp936: No such file or directory
rmmod: nls_cp950: No such file or directory
rmmod: nls_base: No such file or directory
rmmod: ext3: No such file or directory
rmmod: jbd: No such file or directory
rmmod: ext2: No such file or directory
rmmod: mbcache: No such file or directory
rmmod: fuse: No such file or directory
[ 13.310000] eth0: link up (1000Mbps/Full duplex)
ath9k deconfigure_single: phy0 ath0
ath9k deconfigure_single: phy1 ath1
CTL_set_cist_bridge_config: Got return code 0, -1
Couldn't find bridge with index 6

Couldn't change bridge bridge_forward_delay
killall: ea[ 14.810000] eth0: link down
d: no process killed
[ 14.840000] device eth0 entered promiscuous mode
/bin/sh: ead: not found
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
ath9k deconfigure_single: phy0 ath0
ath9k deconfigure_single: phy1 ath1
[ 14.900000] cfg80211: Calling CRDA to update world regulatory domain
[ 14.900000] cfg80211: World regulatory domain updated:
[ 14.910000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 14.920000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 14.920000] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 14.930000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 14.940000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 14.950000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 14.980000] cfg80211: Calling CRDA for country: US
[ 14.990000] cfg80211: Regulatory domain changed to country: US
[ 14.990000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 15.000000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[ 15.010000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[ 15.020000] cfg80211: (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 15.020000] cfg80211: (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 15.030000] cfg80211: (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 15.040000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
[ 15.050000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm)
ath9k configure_single: phy0 ath0
549:ath0
call mac80211autochannel for interface: ath0
[ 16.630000] eth0: link up (1000Mbps/Full duplex)
[ 16.630000] br0: port 1(eth0) entered forwarding state
[ 16.640000] br0: port 1(eth0) entered forwarding state
[ 17.180000] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
freq:2412 qual:93 noise:-95
freq:2417 qual:46 noise:-95
freq:2422 qual:69 noise:-95
freq:2427 qual:69 noise:-95
freq:2432 qual:44 noise:-95
freq:2437 qual:90 noise:-95
freq:2442 qual:45 noise:-95
freq:2447 qual:68 noise:-95
freq:2452 qual:66 noise:-95
freq:2457 qual:46 noise:-95
freq:2462 qual:81 noise:-95
mac80211autochannel interface: ath0 frequency: 2412
setup ath0 B0:C7:45:76:0B:D8
Configuration file: /tmp/ath0_hostap.conf
Using interface ath0 with hwaddr b0:c7:45:76:0b:d8 and ssid "dd-wrt"
[ 18.310000] device ath0 entered promiscuous mode
[ 18.320000] br0: port 2(ath0) entered forwarding state
[ 18.320000] br0: port 2(ath0) entered forwarding state
ath9k configure_single: phy1 ath1
549:ath1
call mac80211autochannel for interface: ath1
freq:5180 qual:95 noise:-95
freq:5200 qual:95 noise:-95
freq:5220 qual:95 noise:-95
freq:5240 qual:95 noise:-95
freq:5260 qual:95 noise:-95
freq:5280 qual:95 noise:-95
freq:5300 qual:95 noise:-95
freq:5320 qual:95 noise:-95
freq:5500 qual:95 noise:-95
freq:5520 qual:95 noise:-95
freq:5540 qual:95 noise:-95
freq:5560 qual:95 noise:-95
freq:5580 qual:95 noise:-95
freq:5660 qual:95 noise:-95
freq:5680 qual:95 noise:-95
freq:5700 qual:95 noise:-95
freq:5745 qual:95 noise:-95
freq:5765 qual:95 noise:-95
freq:5785 qual:95 noise:-95
freq:5805 qual:95 noise:-95
freq:5825 qual:95 noise:-95
mac80211autochannel interface: ath1 frequency: 5180
setup ath1 B0:C7:45:76:0B:D9
Configuration file: /tmp/ath1_hostap.conf
Using interface ath1 with hwaddr b0:c7:45:76:0b:d9 and ssid "dd-wrt"
[ 23.210000] device ath1 entered promiscuous mode
[ 23.210000] br0: port 3(ath1) entered forwarding state
[ 23.220000] br0: port 3(ath1) entered forwarding state
killall: roaming_daemon: no process killed
rmmod: bonding: No such file or directory
cp: can't stat '/tmp/mycron.d/*': No such file or directory
cp: can't stat '/jffs/mycron.d/*': No such file or directory
cp: can't stat '/mmc/mycron.d/*': No such file or directory
rmmod: n_hdlc: No such file or directory
[ 23.930000] device eth1 entered promiscuous mode
[ 23.950000] device eth1 left promiscuous mode
SIOCGIFFLAGS: No such device
ath9k radio 1: phy0 ath0
ath9k radio 1: phy1 ath1
nvram was changed, needs commit, waiting 10 sec.
[ 25.050000] etherip: Ethernet over IPv4 tunneling driver
The Milkfish Router Services
ERROR: Necessary service setting not found: milkfish_username - aborting.
rmmod: ipt_webstr: No such file or directory
rmmod: ipt_layer7: No such file or directory
rmmod: xt_layer7: No such file or directory
rmmod: ipt_ipp2p: No such file or directory
The Milkfish Router Services
Restoring SIP ddsubscriber database from NVRAM...
Empty.
The Milkfish Router Services
Restoring SIP ddaliases database from NVRAM...
Empty.
killall: proxywatchdog.sh: no process killed
umount: can't umount /mnt/smbshare: No such file or directory
rmmod: cifs: No such file or directory
rmmod: fscache: No such file or directory
killall: schedulerb.sh: no process killed
killall: shatd: no process killed
killall: wdswatchdog.sh: no process killed
rmmod: xt_physdev: No such file or directory
rmmod: xt_IMQ: No such file or directory
rmmod: ipt_IMQ: No such file or directory
rmmod: imq: No such file or directory
rmmod: sch_codel: No such file or directory
rmmod: sch_fq_codel: No such file or directory
[ 31.680000] br0: port 1(eth0) entered forwarding state
[ 33.360000] br0: port 2(ath0) entered forwarding state
[ 38.240000] br0: port 3(ath1) entered forwarding state

DD-WRT login:


SUUUUUUUCESS!!!!!

Malachi!!! You good sir are my new hero! Thanks for the guide!!!
excel4x
DD-WRT Novice


Joined: 24 Feb 2007
Posts: 25

PostPosted: Mon Sep 25, 2017 16:35    Post subject: Re: WZR-600DHP with locked IDEXX custom firmware. Reply with quote
jacubillo wrote:
Hi,

Bought a cheap Buffalo WZR-600DHP router on ebay and when it arrived first thing I did was plug it and hold it's reset button for 10seconds to do a factory reset. Turns out the router kept it's IDEXX and LAB_Guest SSIDs... looking more into it, I found out it has a custom ddwrt firmware made by a veterinary company named (you guessed it) IDEXX and used to connect their analyzing equipment or whatever...

I managed to get myself a serial connetion with a usb-serial converter and arrived at a ar7100> console prompt. I'm trying to tfp a new ddwrt image but when I try to boot into it I get a Bad Magic Number, Bad Header Checksum, and Bad Data CRC errors. This is the first time I try to use a router's serial console and flash it by tftp so this is all new to me.

What can be made to re-flash this router with a "normal" ddwrt image or even with the stock buffalo firmware?
I can post the boot messages and all env variables if required. U-boot shows as>

BUFFALO U-BOOT Ver 1.00
== CPU:680MHz, DDR:340MHz, AHB:170MHz ==
AP96 (ar7100) U-boot 0.0.1
DRAM: 128 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 266k for U-Boot at: 83fbc000

I don't want to do anything that may brick even more this router...



I just received a similar item. I called IDEXX tech support and they told me the default password: "Idexx123"
the user name is admin.

This worked and I was able to upgrade the firmware to standard DD-WRT.
jacubillo
DD-WRT Novice


Joined: 28 Jan 2014
Posts: 6

PostPosted: Mon Sep 25, 2017 17:09    Post subject: Reply with quote
I was able to solve this by following a japanese guide on how to flash a custom firmware using jtag or serial hardware access. I remember having to edit some hex fields and other stuff I barely manage to comprehend but I was able to load ddwrt on the router...
Your option is waaay easier Laughing and I wish I had that user/pass info ...
Hope your reply might help anyone in the future to solve this.
N0NB
DD-WRT Novice


Joined: 22 Nov 2019
Posts: 3

PostPosted: Fri Nov 22, 2019 12:38    Post subject: Reply with quote
My apologies for resurrecting this old thread, but I have an exact same issue, purchased a WZR-600dhp off eBay with IDEXX branded firmware with a date/version that matches the OP of this thread exactly.

Even with the username and password provided toward the end of this thread I have not been successful flashing the firmware from the Web UI.

I had no success with tftp upload, though I'm uncertain of the exact IP address to connect to.

I installed a four pin header and have been able to watch the boot process from the JTAG interface. I have not been able to login as the We UI username and password are apparently not enabled for console login by default.

I have not been able to interrupt uboot to access its command prompt to try the tricks the OP shows. How can I break into uboot on this custom DD-WRT firmware?
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2029

PostPosted: Sat Nov 23, 2019 2:20    Post subject: Reply with quote
N0NB wrote:
I had no success with tftp upload, though I'm uncertain of the exact IP address to connect to.


https://wiki.dd-wrt.com/wiki/index.php/Buffalo_WZR-HP-AG300H#WZR-600DHP

https://wiki.dd-wrt.com/wiki/index.php/Buffalo_WZR-HP-AG300H#De-bricking_and_TFTP_Info

It should be 192.168.11.1. Set static ip of 192.168.11.2 on pc.

Thank You!!

This thread gave me the info I needed to finally unbrick my wzr-hp-ag300h with serial
which is pretty much the same router.
I abandoned it months ago and just used it as a switch from time to time.

jacubillo wrote:
Yes!! There it is! The 27 05 19 56 magic number!
Now...
Looking with a downloaded hex editor (HxD) I opened all the bin files I had... some are from buffalo website.. others from ddwrt...
One of them had the magic number in it!:


I edited an openwrt file with the magic number in it and now it has openwrt firmware on it.

Now to figure out how to get bak to DD-WRT Confused

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
N0NB
DD-WRT Novice


Joined: 22 Nov 2019
Posts: 3

PostPosted: Sun Nov 24, 2019 1:21    Post subject: Reply with quote
I'm not sure the 192.168.11.1 address is correct for this firmware as it defaults to 192.168.222.1. Line 220 of defaults.c shows this:

https://github.com/mirror/dd-wrt/blob/master/src/router/services/sysinit/defaults.c

Where did you find the OpenWRT image with the magic number? That may prove to be very helpful to me!
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2029

PostPosted: Sun Nov 24, 2019 3:09    Post subject: Reply with quote
N0NB wrote:
Where did you find the OpenWRT image with the magic number? That may prove to be very helpful to me!


Mine is a different router but the openwrt page for WZR-600DHP:
https://openwrt.org/toh/buffalo/wzr-600dhp

I checked this file and the number is there.
I deleted everything before 27 05 19 56 for mine.
https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-wzr-600dhp-squashfs-tftp.bin

I have not yet solved how to get back to stock Buffalo or DD-WRT but it is usable on OPENWRT.

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2029

PostPosted: Sun Nov 24, 2019 4:26    Post subject: Reply with quote
Update: Thanks to @Malachi, all the information I needed
was in the link he provided.

Opened a wzr-hp-ag300h-dd-wrt-webupgrade-MULTI.bin with GHEX and found the number there.

Deleted everything before, renamed it "buf" and loaded it with serial and it worked.
Now back on DD-WRT Very Happy Cool

Probably should have checked that yesterday before I used openwrt file Embarassed

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
N0NB
DD-WRT Novice


Joined: 22 Nov 2019
Posts: 3

PostPosted: Mon Nov 25, 2019 2:29    Post subject: Reply with quote
Many thanks for the help from all! I made a few mistakes but I got rid of the IDEXX firmware and am now happily running the latest WRT. I wound up having to use gtkterm on Debian in order to send the break character to uboot and get its prompt. Then I was able to get to work and have success.

Thanks again.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum