Though the whole flashing process can be done via Web interface(dd-wrt to stock and vice versa) without getting your hands dirty, still, there're cases that the Web flashing is not sufficient. One common scenario is a bricked WZR-HP-G300NH, i.e., no web access and no ping response due to bad firmware or wrong operation, or you just want to try other firmware like OpenWrt. Luckily that the WZR-HP-G300NH has a robust bootloader and the router can be recovered by using TFTP, either in Windows, Linux or OSX.
It's a little tricky comparing to traditional Broadcom routers, as the WZR-HP-G300NH will not broadcast its MAC during initial bootup process, as a result, we must tell the computer how to communicate with the router by manipulating its arp table.
TFTP recovery in Windows
*Untested, credit goes to ermax at D-WRT forum
- Get your router's MAC, its the 12 digit default SSID printed on the sticker at the back of the router, starting with 00. Then you'll need to break it down every two digit by inserting : or - between them.
- Download the latest official firmware(in case of recovery) from Buffalo's official website. Extract to get the firmware, in my case, its 1.74 and the firmware name is wzrhpg300nh-174, ~20MB.
Also download the Linksys TFTP utility.
- (May not necessary) Do a hard reset or 30/30/30 on the router.
- Unplug all the ethernet cable and the power cable and connect the computer directly to the router(still leave it off)
- Set the computer's static IP to 192.168.11.2, netmask 255.255.255.0, gateway/DNS 192.168.11.1.
- Open a Windows command prompt as Administrator. This is default on Windows XP, under Windows Vista/7, type cmd in the search box from Start menu, then press Ctrl+Shift+Enter. You will be prompted with the User Account Control dialog.
- Type route print to get a list of your NIC(s). Write down the interface number for the LAN card, in my case, it's 12.
- Now type the command below to get the ARP binding(thanks ermax at DD-WRT forum):
netsh interface ipv4 add neighbors 12 192.168.11.1 00-1d-12-34-56-78
Replacing the number 12 with the interface number and 00-1d-12-34-56-78 with the router's MAC address.
- Run Linksys TFTP utility. Put 192.168.11.1 as Server address, Password empty, File is wzrhpg300nh-174 just extracted, set retry time to 30.
- Click "Upgrade" in the TFTP utility and quickly plug the power back to turn on the router. There might be few failed attempts but the flash process should start later. Wait patiently the router will reboot itself when the upgrade is done. Navigate to http://192.168.11.1(for stock firmware) to configure your router.
TFTP recovery in Linux
*Most of this part is from DD-WRT wiki with some tweak. TEST WORKING
Will use Ubuntu Live CD as an example but other distro should also work. The Ubuntu LiveCD can be booted from a USB flash drive. See here.
- Do Step 1-4 in "TFTP recovery in Windows" except we don't need Linksys TFTP utility here. So we have MAC address ready, router unpowered and the computer is directly connected to the router.
- After booting into Ubuntu, open a terminal and type:
sudo apt-get update
sudo apt-get install tftp-hpa
sudo /etc/init.d/networking stop
sudo ifconfig eth0 192.168.11.2
sudo ifconfig eth0 netmask 255.255.255.0
sudo arp -s 192.168.11.1 00:1D:12:34:56:78
#change to the folder where you put the firmware image, if it's on desktop then it's
#"/home/ubuntu/Desktop".
cd /home/ubuntu/Desktop
tftp 192.168.11.1
*from this point, you're under tftp command prompt, the "tftp>" is the prompt tftp gives you, you just need to type the command AFTER that.
tftp> verbose
tftp> binary
tftp> trace
tftp> rexmt 1
tftp> timeout 60
tftp> put wzrg300nh-firmware.tftp
Replace the fictional MAC in red with the router's. All command you need to input is in italic. Also replace wzrg300nh-firmware.tftp with the firmware you need, in case of stock firmware, its wzrhpg300nh-174.
Also, at this point, the router is still unpowered and that's OK. Tftp will keep trying to send the firmware to the router and when it fails (because the router isn't yet on or hasn't yet brought up it's tftp interface) it will wait 1 second and retry, up to 60 times as that's how we set up the tftp client.
- Now quickly plug the power cord back to the router. The router will start up and you will see some lights blinking (possibly). About 10-20 seconds in, you should notice that tftp is sending the file. instead of the retry message over and over you will see some progress scrolling down the screen and at the end it will tell you how many blocks or bytes were transferred in how many second.
- After the transfer is complete, wait about 5-10 minutes the router will reboot itself. When the wireless LED is on you're good to go.
- Bring the network back in Linux by typing
sudo service networking start
TFTP recovery in OSX
*Untested, credit goes to BDawg at DD-WRT forum
*Untested, credit goes to BDawg at DD-WRT forum
- Do Step 1-4 in "TFTP recovery in Windows" except we don't need Linksys TFTP utility here. So we have MAC address ready, router unpowered and the computer is directly connected to the router.
- Set the computer's static IP to 192.168.11.2, netmask 255.255.255.0, gateway/DNS 192.168.11.1.
- Open a terminal and type
sudo arp -s 192.168.11.1 00:1D:12:34:56:78 ifscope en0
Replace with your own router's MAC.
- Type
tftp 192.168.11.1
tftp> put wzrhpg300nh-174
Don't press Enter
- Now plug the power cord back and hit Enter to start tftp transfer.
48 comments:
Is it able to apply this method on WZR-HP-G300NH Japanese version? I have problems with DD-WRT firmware on WZR-HP-G300NH so I want to use Buffalo original English firmware (1.74)
Thanks!
It is not that easy.
you might want to read this first.
http://scarygliders.net/?p=13
Hello,
I had a WZR-HP-G300NH with DD-WRT on it. I then tried to upgrade using mtd to Open-WRT. The router rebooted with blinking Diagnostic light - pause, 2 red blinks, pause.
I tried tftp'ing dd-wrt and openwrt, nothing worked, mostly because the file never transferred completely before the timeout, and the ole' red light would just blink away.
I now tried the official buffalo 1.74 firmware as described on this page, and the file transferred over correctly with tftp, all 21541116 bytes in 50.9 seconds (phew!). The router did not reboot though, I left it about 20 minutes. Rebooting it manually does nothing either, same old blinking Red light.
Any ideas for me? Much appreciated!!
While trying to install open-wrt I have more or less bricked my router. I can connect to it's Wi-Fi but DHCP seems to be messed up. LAN cable connect doesn't work neither.
I tried all the options for all 3 OS but it doesn't work. Everything just keep timeout. The router does not response to 30/30/30 reset. It boots with a red DIAG and goes to blinking green Router LED for a few seconds then stay on.
Any help is appreciated.
A very important step should be added to "TFTP recovery in Windows"
Step 8a) Turn off your windows firewall!
Otherwise nothing happens because the Windows firewall blocks the tftp ack packets from the router.
I lost a lot of time on this - assuming that the router has a problem I forgot other simple issues such as firewalling. ;-(
Thanks for a great article.
Best regards
Steen Larsen
Heavy P, I had the same problem on my end. I sent the router back and got a new one, then somehow did the same thing on the second one. It worked fine for a while then ... I'm going to Jtag it. I will include detailed instructions once I've completed the process. I'm attempting the CA-42 nokia cable approach. wish me luck
Had problems by flashing with the linksys TFTP tool, but it was working under ubuntu. Thanks!
I can confirm that you CAN get this to work in Windows. I used Win7, so I don't know if that will make a difference over XP, but it does work. Also, I used a different TFTP client which successfully sent the image, Pumpkin TFTP: http://kin.klever.net/pumpkin/
The only thing I changed was the network timeout from default of 30 seconds, up to 60. Worked like a charm :)
Also, if you are getting the solid diag light and 45 second repeating reboot, the IP address is 192.168.11.1 even if you've put DD-WRT on in the past and changed the IP to something different.
TFTP recovery in Windows: it worked with Win7 and saved my router - thank you!
The router will not restart
It work with WHR-HP-G300N also.
i cant get it to work, even with the pumpkin tftp.
is my mac address also the SSID? label on the back of the router?
Thank you!!
I mean even with the correct mac address in my arp tables i still cant get it to work. any suggestions? firewall off.
(anonymous) but my name is michael.
I got this to work with OS X. HOWEVER, I believe that there are two steps missing from the OSX instructions above.
First: It won't work if you connect your Mac directly to the router, as per step 4 of the Windows instructions. You need to have a switch between the two (if your old wireless router still works, it will do). This is because the Mac uses carrier detect to automatically bring network interfaces up and down, and your ethernet interface needs to be up and running at the moment you power the router on, or you'll miss the little window when the tftp transfer can happen. So, ethernet cable from Mac to a switch, and ethernet cable from the switch to one of the ethernet ports on the router.
Second: before issuing the put command in tftp, you need to do "binary". Adding "trace" is nice as well, as you see progress as the transfer happens. So, your tftp session should look like this:
tftp 192.168.11.1
tftp> binary
tftp> trace
tftp> put wzrhpg300nh-174
On XP the route print screen looks different, also that netsh command doesnt work, the "add neighbors" option doesnt seem to exist.
Hello, very nice trick, thank you so much ;)
My g300nh problem is slightly different. After the DIAG light goes out after boot, the router light blinks continuously
While following the post, tcpdump is showing:
IP 192.168.1.1.40841 > 192.168.1.255.4919: UDP, length 1001
IP 192.168.1.2.57387 > 192.168.1.1.tftp: 25 WRQ "image" octet pass
IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.1.1 UDP port tftp unreachable, length 61
Seems like it's firewalled and the 30-sec and 30/30/30 do nothing. Any ideas?
Great help. My WZR-G300NH was stuck.
But with you help, I have it up and running perfectly again.
Used Windows 7 (diabled firewall)
Used Pumpkin TFTP(where timeout was increaded to 120 sec). Used dd-wrt software, but managed to revert back using instruction found here:http://www.dd-wrt.com/wiki/index.php/Buffalo_WZR-HP-G300NH
I bricked 2 routers going from DD-WRT to OpenWRT using this wiki: http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h using the mtd method. Tried 2 different OpenWRT firmwares - both times I have a bricked router.
The behavior on both boards after reboot is a read diag light for approx 15-20 seconds, then the router light blinks for about 5 seconds, and goes solid.
I tried to connect via serial using a TTL-232R-3v3 cable with the pins to the correct points using this (and other) forums http://www.dd-wrt.com/phpBB2/viewtopic.php?p=434920 but to no avail. I know I am close, because I can power the board separately (exact same behavior as described above) off the 3.3v, but I don't get any output on the serial terminal.
I have tried these directions above about 5 times on both Win7 and Linux - but can't get any response on any tftp. I am kind of stuck. Any help would be very appreciated!
Spencer
@Spencer
Mine shared the same symptoms.
Followed the steps of Awrimukas at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=68899 with BrainSlayer's modification at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=87579 .
(arp -s 192.168.11.1 02-AA-BB-CC-DD-1A)
Flashed OpenWRT's image successfully.
Oh, also: A 30/30/30 reset does nothing on OpenWRT except brick it further. Ignore that step.
I tried with tftp for ever but could not bring it back to life even though it was receiving the file. After 12 hours or so I figured out that setting the router switch to ON rather than AUTO got it working! Huzzah
Got the router today, I tried to update via online. It didn't show anything while updating (not even a progress bar), restart the router and found it was bricked.
Tried 30/30/30, used ARP, used, tFTP from linksys, used PumpKin tFTP, disable firewall, none of them are working. Now I'm stuck with this stupid router.
Here is the instructions to revert from commmunity to bufffalo pro version or simplified for WZR-HP-AG300H, compiled based of forum's data (thanks to everybody for the input). You can then use Web GUI to go back to community version of DD-WRT.
Client pc:
192.168.11.2. Set the netmask to 255.255.255.0 and the gateway to 192.168.11.1
Now connect your cable to the router with the router off.
In Command Mode (run as admin on win7)
XP
arp -s 192.168.11.1 02:AA:BB:CC:DD:20
OR
WIN7
netsh interface ipv4 add neighbors 12
192.168.11.1 02:AA:BB:CC:DD:20
(WAN 02:AA:BB:CC:DD:21)
(12 above is the interface number in Win7 taken from LAN adapter number from "route print" command)
Use Linksys TFTP firmware upload utility or windows TFTP client to upload a firmware.
Plug your router in and soon as you see LAN card traffic light run TFTP upload or hit download on the Linksys TFTP utility.
tftp -i 192.168.11.1 PUT c:\firmware.enc
MAC address used in the procedure is not LAN or WAN address that you find on the router, it seems to be generic number that applies to boot load for the model. i.e. WZR-HP-G300NH is 02-AA-BB-CC-DD-1A, WZR-HP-AG300H is 02:AA:BB:CC:DD:20.
Hello everyone i try install in buffalo wzr-hp-g300ng BrainSlayer-V24-preSP2 06-14-11-r17201 wzr-hp-g300nh2-dd-wrt-webupgrade-MULTI.bin firmware.And buffalo stopped working.Now always rebooting.I see only green power led and red led.Windows recovery metod not working and linux not working in live cd.Very please help how i can recovery buffalo.Maybe what can help?Please write skype nick kiesa3.
My buffalo looks now http://www.youtube.com/watch?v=wJTbcpKbxEg
Got my router back from being bricked. Had the two blinks Red diag light. Used this guide with some modifications. Used the pumpkin software and "WZR-HP-G300NH is 02-AA-BB-CC-DD-1A" MAC address as described in other comments. Also disabled Windows firewall.
life saver!
This saved my router as well, but I did have to make some changes for the Ubuntu instructions. My router was getting out of the TFTP window in less than 5 seconds and the settings listed in the Ubuntu section were getting wiped out every time I rebooted or unplugged the router.
I wrote a small script to setup the network and then only used the verbose and binary commands in TFTP. Everything worked fine and the new firmware was transmitted in just 5 seconds. Shocked me after hours of different methods to unbrick, I was losing hope but this blog got my router up and running again.
If you were following other guides to get to this one, you may have been instructed to use a dummy MAC instead of your actual MAC. In my case, the actual MAC address worked. I suspect the difference is whether you're attempting to get in on the WAN or LAN ports.
Ilyxa742
It's realy working with pumpkin! thank you!
I love you!!!!
The Ubuntu procedures just fine. I recommend everyone to use linux as 'Micro$oft Windoes' is a shit OS.. It just wont work.
Linux... Worked at the first try.
Hi, first of all thanks for posting this and huge credit to all who figured this out!!!
Bricked my Ubiquiti NanoStation M2 couple days ago by trying to reflash to original firmware from DD-WRT, had both antenna lights up on whole time with power and link light but no ip response what so ever, after hard reset followed your directions by adding neighbor MAC ID and thru Linksys TFTP utility loaded original firmware!
Worked on Intel 2.0 Ghz Windows 7 OS
Just got it working here on a bricked WHR HP-G300N.
To the writer and all the helpful posters, thank you so much for the helpful information.
For fellow HP-G300N owners, ensure that you turn off windows firewall, install tftp through add remove windows components and use the tftp command line rather than the gui clients. (at least that is what ultimately worked for me)
So as was posted before: tftp -i 192.168.11.1 PUT c:\firmware
(just 'firmware' in my case rather than 'firmware.enc' since I don't show file extensions in explorer)
Other than that, follow the original guide :)
Yes, I also got my WZR HP G300NH bricked after factory DD-WRT firmware upgrade. The diag RED light is on all the way!
And thanks to this great blog, the router could be recovered with ubuntu approach at the first try! I have tried Windows 7 approach, but failure, it seems missed the tftp transmission window. Anyway, the linux approach works great!
But I have a slightly different, firstly, I have used the dummy mac address which I saw from the other forum, I used 02-AA-BB-CC-DD-1A. I think the real mac address should work as well, but I haven't tried.
The second point is I used a 10/100 switch in between the Linux machine and the router. So that, one LAN cable connects from the Linux to the switch and another LAN cable connects from the switch to one of the LAN ports of the G300NH.
And at the beginning of the whole task, I have done 30/30/30 reset.
Thank you for great guide.
One addition. My unit complainned flash rom error. First I tried to unbrick with latest 179 firware and upgrade was always cancelled roughly at 80%.
Then I treid to flash Professional sw version and it worked. This was some how related to file size. Buffalo Prof firmware is only 12M instead of 21M (179 version).
So if problems try smaller size firmware
Would not work with the label MAC Address of the router - but it did work with the generic MAC address of: 02-AA-BB-CC-DD-1A; for the STATIC ARP entry use this:
arp -s 192.168.11.1 02:AA:BB:CC:DD:1A
I used UBUNTU, and PUT the .enc file firmware file; it finally started loading after about 10 seconds. Then when it is complete the Diag Light will blink at varying rates until it finally reboots on its own, then the wireless light will light and you can webgui into 192.168.11.1
Hello, I cant changr my firware using this information. First I change TCP/IP configuration. Switch off firewall. My WinXP do not accept"netsh interface ipv4 add neighbors 12 192.168.11.1 00-1d-12-34-56-78" command. Insteat it I use "arp -s 192.168.11.1 [my MAC-adess]". Then I start PumpKin program with firmware, and plug in DC adaptor to my WZR-HP-G300NH2AP rowter. Some time past i receive message from program "Transmission is timed out. Transfer was aborted"
What`s wrong? Where is my mistake?
Hello every one.
I try to use this way for buffalo g450h
1- put the ip address
2 - firewall turn off
3- use the netsh interface ipv4 add neighbors in the cmd
4 - use the tftp and turn on the router
5 - Waite alots of time anf this message appear
timeout occurred
connect requset failed
also I try to upload by the Linksys TFTP utility
pleas if any one help me .
Where can I get the .ENC firmware file!?
Thanks at all!!
The instructions worked perfectly. Particularly the part about the firewall being disabled and the arp setup. Thanks!
Wow, this helps. Especially the advice to use the professional firmware with less Mb (I also had the 80% error) and to shut down the Windows firewall...
Worked like a champ; had to use MAC 02-AA-BB-CC-DD-1A to get it to work on a WZR-HP-G300-NH2
If you are here because you bricked a Buffalo router model different from WZR-HP-G300NH, please note that the MAC address used in the TFTP recover procedure is MODEL DEPENDANT. For my WBMR-HP-g300N it was 02-AA-BB-CC-DD-30.
You can obtain the MAC of the bootloader by dumping via WIreshark or tcpdump the TFTP request that the router triggers when switching it on while pressing the AOSS button.
You have also another way of recovering a WBMR-HP-G300H: you can use the procedure described here http://wiki.openwrt.org/toh/buffalo/wbmr-hp-g300h which involves flashing a very special image which resides in RAM (therefore is lost between reboot); when you have gained access you can run the sysupgrade procedure using a dd-wrt image (uImage, not webflash). Using this (longer but straightforward) procedure I recovered my WBMR-HP-G300NH router.
Hey,
Really awesome blog and unique content & the process is very easy. i think it's very useful for us. i like it. I am from Linksys Router Support - Call 1-888-897-5899 (Toll Free) now for comprehensive tech support from Certified technicians, highly skilled in providing support for Linksys Router, Linksys Router Support, Linksys Support, available 24/7.
Follow this link Linksys Router Support
Thanks
Eva Smith
Hey, thanx for such a nice blog.hp networking switches
Thanks for share awesome blog. i think it's very useful for me.. really amazing content... keep it up.,, :((
Follow this link Linksys Technical Support
Thank you for the tutorial.
One thing i could add is to do everything under a linux console and to use the MAC address 02-AA-BB-CC-DD-1A under WZR-HP-G300NH2.
I couldn't manage do it with the network discovery on windows and ubuntu.
After unsuccessful upgrade of an firmware of a router, the Router got periodic resets. The topic "TFTP recovery in Windows" helped me to recover my router. Many thanks to the author of this blog. Technical information: router WZR-HP-G300NH. PC with Windows 8 (64 bits). Firmware which was used for recovery was "wzrhpg300nh-pro-v24sp2-14998" (size: 11,8 MB).
Post a Comment