Wednesday, June 23, 2010

Firmware flash and brick recovery through TFTP

Though the whole flashing process can be done via Web interface(dd-wrt to stock and vice versa) without getting your hands dirty, still, there're cases that the Web flashing is not sufficient. One common scenario is a bricked WZR-HP-G300NH, i.e., no web access and no ping response due to bad firmware or wrong operation, or you just want to try other firmware like OpenWrt. Luckily that the WZR-HP-G300NH has a robust bootloader and the router can be recovered by using TFTP, either in Windows, Linux or OSX.

It's a little tricky comparing to traditional Broadcom routers, as the WZR-HP-G300NH will not broadcast its MAC during initial bootup process, as a result, we must tell the computer how to communicate with the router by manipulating its arp table.

TFTP recovery in Windows
*Untested, credit goes to ermax at D-WRT forum
  1. Get your router's MAC, its the 12 digit default SSID printed on the sticker at the back of the router, starting with 00. Then you'll need to break it down every two digit by inserting : or - between them.
  2. Download the latest official firmware(in case of recovery) from Buffalo's official website. Extract to get the firmware, in my case, its 1.74 and the firmware name is wzrhpg300nh-174, ~20MB.

    Also download the     Linksys TFTP utility.
  3. (May not necessary) Do a hard reset or 30/30/30 on the router.
  4. Unplug all the ethernet cable and the power cable and connect the computer directly to the router(still leave it off)
  5. Set the computer's static IP to 192.168.11.2, netmask 255.255.255.0, gateway/DNS 192.168.11.1.
  6. Open a Windows command prompt as Administrator. This is default on Windows XP, under Windows Vista/7, type cmd in the search box from Start menu, then press Ctrl+Shift+Enter. You will be prompted with the User Account Control dialog.
  7. Type route print to get a list of your NIC(s). Write down the interface number for the LAN card, in my case, it's 12.
    interface
  8. Now type the command below to get the ARP binding(thanks ermax at DD-WRT forum):

    netsh interface ipv4 add neighbors 12 192.168.11.1 00-1d-12-34-56-78

    Replacing the number 12 with the interface number and 00-1d-12-34-56-78 with the router's MAC address.
  9. Run Linksys TFTP utility. Put 192.168.11.1 as Server address, Password empty, File is wzrhpg300nh-174 just extracted, set retry time to 30.
  10. Click "Upgrade" in the TFTP utility and quickly plug the power back to turn on the router. There might be few failed attempts but the flash process should start later. Wait patiently the router will reboot itself when the upgrade is done. Navigate to http://192.168.11.1(for stock firmware) to configure your router.

TFTP recovery in Linux
*Most of this part is from DD-WRT wiki with some tweak. TEST WORKING

Will use Ubuntu Live CD as an example but other distro should also work. The Ubuntu LiveCD can be booted from a USB flash drive. See here.

  1. Do Step 1-4 in "TFTP recovery in Windows" except we don't need Linksys TFTP utility here. So we have MAC address ready, router unpowered and the computer is directly connected to the router.
  2. After booting into Ubuntu, open a terminal and type:

    sudo apt-get update
    sudo apt-get install tftp-hpa
    sudo /etc/init.d/networking stop
    sudo ifconfig eth0 192.168.11.2
    sudo ifconfig eth0 netmask 255.255.255.0
    sudo arp -s 192.168.11.1 00:1D:12:34:56:78
    #change to the folder where you put the firmware image, if it's on desktop then it's
    #"/home/ubuntu/Desktop".
    cd /home/ubuntu/Desktop
    tftp 192.168.11.1
    *from this point, you're under tftp command prompt, the "tftp>" is the prompt tftp gives you, you just need to type the command AFTER that.
    tftp> verbose
    tftp> binary
    tftp> trace
    tftp> rexmt 1
    tftp> timeout 60
    tftp> put wzrg300nh-firmware.tftp

    Replace the fictional MAC in red with the router's. All command you need to input is in italic. Also replace wzrg300nh-firmware.tftp with the firmware you need, in case of stock firmware, its wzrhpg300nh-174.

    Also, at this point, the router is still unpowered and that's OK. Tftp will keep trying to send the firmware to the router and when it fails (because the router isn't yet on or hasn't yet brought up it's tftp interface) it will wait 1 second and retry, up to 60 times as that's how we set up the tftp client.
  3. Now quickly plug the power cord back to the router. The router will start up and you will see some lights blinking (possibly). About 10-20 seconds in, you should notice that tftp is sending the file. instead of the retry message over and over you will see some progress scrolling down the screen and at the end it will tell you how many blocks or bytes were transferred in how many second.
  4. After the transfer is complete, wait about 5-10 minutes the router will reboot itself. When the wireless LED is on you're good to go.
  5. Bring the network back in Linux by typing

    sudo service networking start
TFTP recovery in OSX
*Untested, credit goes to BDawg at DD-WRT forum
  1. Do Step 1-4 in "TFTP recovery in Windows" except we don't need Linksys TFTP utility here. So we have MAC address ready, router unpowered and the computer is directly connected to the router.
  2. Set the computer's static IP to 192.168.11.2, netmask 255.255.255.0, gateway/DNS 192.168.11.1.
  3. Open a terminal and type

    sudo arp -s 192.168.11.1 00:1D:12:34:56:78 ifscope en0

    Replace with your own router's MAC.
  4. Type

    tftp 192.168.11.1
    tftp> put wzrhpg300nh-174

    Don't press Enter
  5. Now plug the power cord back and hit Enter to start tftp transfer.

835 comments:

«Oldest   ‹Older   1001 – 835 of 835
«Oldest ‹Older   1001 – 835 of 835   Newer› Newest»

Post a Comment

Subscribe to: Post Comments (Atom)