[solved] WZR-HP-G450H and TFTP original firmware

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2, 3  Next
Author Message
silversilver11
DD-WRT Novice


Joined: 08 May 2012
Posts: 14

PostPosted: Thu May 31, 2012 1:08    Post subject: [solved] WZR-HP-G450H and TFTP original firmware Reply with quote
I purchased 3 of these:

http://www.buffalotech.com/products/wireless/wireless-routers/airstation-highpower-n450-gigabit-wireless-router-wzr-hp-g450h/

Japanese models. Should have done my homework as I assumed since the US model came with DD-WRT the Japanese model would as well, not the case as I found out.

Long story short, serial cable + two commands at uboot and I was able to flash using the web interface using the US DD-WRT firmware located on the US Buffalo website.

But in my infinite wisdom I then flashed the Buffalo WZR-HP-G300NH firmware from this site, bricking the unit.

I then tried to TFTP to fix my issues, after increasing the timeout of the TFTP server (on router) to 10 seconds via uboot I could get new firmware loaded, OR using the methods described on this page:

http://scarygliders.net/2010/02/23/hacking-around-the-japanese-buffalo-wzr-hp-g300n/

to also load the firmware.

But the problem is I can not decrypt the US firmware and load it as the router just says "bad magic number"...

I tried openWRT which seemed to have a build directly for the WZR-HP-G450H but it also bad magic numbered and even after HEX editing the headers couldn't get it working.

I have 2 out of the 3 routers running, just one bricked any advice?

Also noticed this guy having the same issue:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=670662

with no replies.


Last edited by silversilver11 on Fri Jun 01, 2012 1:12; edited 1 time in total
Sponsor
silversilver11
DD-WRT Novice


Joined: 08 May 2012
Posts: 14

PostPosted: Thu May 31, 2012 9:05    Post subject: Reply with quote
Actually got it installed! Other people might be interested to know how:

I couldn't decrypt the firmware but I had two others running the Buffalo DD-WRT version.

On the bricked router I installed a modified for TFTP wla-ag300-firmware-MULTI.bin (15962) as I was getting segmentation errors on the newer builds. It didn't allow the router to work but I was able to using a serial cable get to a linux command prompt.

- Telnet into a different working WZR-HP-G450H running the Buffalo flavor of DD-WRT.

- Run: cat /dev/mtd/1 > /tmp/www/mtd1.dump

- SSH into the same router and copy file to local machine. (This file is the unencrypted firmware ready to load!)

- Config your PC to 192.168.11.2 / 255.255.255.0 (no gateway or DNS)

- Plug router directly into computer. If you have other networks attached (like a wireless network I recommend disabling it just so that things run smoother).

- Disable your firewalls and anti virus stuff (important!)

- Connect serial cable to bricked WZR-HP-G450H and using putty connect to the router (115200,8,N,1)

- Plug in power and when TFTP server starts, press Ctl C to get to a Uboot prompt.

- type: setenv accept_open_rt_fmt 1

- type: setenv region EU
(if you have a JP model)

- type: saveenv

- type: reset

- Router reboots, wait for TFTP, press control C, get to the uboot prompt again.

- type: ping 192.168.11.2

- It should say "192.168.11.2 is alive", if it doesn't check your cables and firewall is turned off. I found that if I didn't ping everytime it only sometimes worked, once I had pinged once TFTP worked everytime.

- On laptop open a DOS prompt and type: tcp -i 192.168.11.1 PUT mtd1.dump

- and press enter

- (straight away) in Putty type: TFTPS

- The file should transfer.

- In Putty type: run u_fw

- Wait for about 3 mins while the old firmware is deleted and the new is installed.

- Smile! You've debricked Very Happy
kevinc
DD-WRT Novice


Joined: 10 Jan 2008
Posts: 3

PostPosted: Wed Jun 20, 2012 4:47    Post subject: Reply with quote
silversilver11 wrote:
- Telnet into a different working WZR-HP-G450H running the Buffalo flavor of DD-WRT.

- Run: cat /dev/mtd/1 > /tmp/www/mtd1.dump

- SSH into the same router and copy file to local machine. (This file is the unencrypted firmware ready to load!)


I have same situation and same tools in hand but only this bricked G450H. I cannot get unencrypted firmware anywhere. Can someone do procedure quoted above and send firmware dump to my email found in button below?
kevinc
DD-WRT Novice


Joined: 10 Jan 2008
Posts: 3

PostPosted: Tue Aug 21, 2012 21:08    Post subject: Reply with quote
Finally I got it unbricked!

I had to buy another (second hand) WZR-HP-G450H where I could get original non-encrypted (decypted) firmware. I just followed instuctions above.

Well, now I have 2 working routers...

I'm still little dissapointed that no one provided help. Downloading original firmware from working router took only few minutes, needed only web-browser and I didn't have to take my ass of the sofa.
trivita
DD-WRT Novice


Joined: 26 Sep 2012
Posts: 3

PostPosted: Tue Oct 16, 2012 8:29    Post subject: Reply with quote
hah, i solved this by compiling buffalo-enc.c

but firmware from buffalo can't be unpacked directly by this buffalo-enc.

you need to strip off the first "start" section before unpacking the encoded firmware.

then use openwrt's sysupgrade to flash it instead of using TFTP.

Cool Cool Cool
RRuo58
DD-WRT Novice


Joined: 10 Nov 2012
Posts: 2

PostPosted: Fri Nov 16, 2012 17:32    Post subject: Reply with quote
trivita wrote:
hah, i solved this by compiling buffalo-enc.c

but firmware from buffalo can't be unpacked directly by this buffalo-enc.

you need to strip off the first "start" section before unpacking the encoded firmware.

then use openwrt's sysupgrade to flash it instead of using TFTP.

Cool Cool Cool


Thank You. I used your method and it worked fine.
diddyfan2pac
DD-WRT Novice


Joined: 19 Nov 2012
Posts: 3

PostPosted: Tue Dec 04, 2012 20:15    Post subject: Reply with quote
RRuo58 wrote:
trivita wrote:
hah, i solved this by compiling buffalo-enc.c

but firmware from buffalo can't be unpacked directly by this buffalo-enc.

you need to strip off the first "start" section before unpacking the encoded firmware.

then use openwrt's sysupgrade to flash it instead of using TFTP.

Cool Cool Cool


Thank You. I used your method and it worked fine.

Can you please post a guide?
ilninno
DD-WRT Novice


Joined: 03 Aug 2012
Posts: 2

PostPosted: Wed Dec 12, 2012 23:27    Post subject: Great solution Reply with quote
I have tried with several firmwares and only openwrt one worked for me (On the openwrt wiki). The other failed due to magic number error or the checksum one. The problem is that I didn't want to use openwrt and it was impossible to jump to another product (dd-wrt or buffalo are ciphered packages)

Finally I decided to try using the buffalo-enc.c (although I saw it was developed some time ago) and it didn't worked.

It was when I saw this forum and read that is necessary to remove the Start Section (You have to remove everything before the second Start) by using an hex editor (You can use any of the buffalo official firmwares).

After doing that I have been able to decrypt this file and upload it by using the tftp.

I used jtag for seeing the boot process but I really think is is necessary if you provide the unciphered firmware on the 4-seconds boot (There are really good guides on Internet).

Thank you very much for this post
Sergius14
DD-WRT Novice


Joined: 24 Jan 2012
Posts: 2

PostPosted: Sat Dec 29, 2012 4:52    Post subject: Reply with quote
Can somebody explain a little more about how to get and compile buffalo-enc.c and also how/what to strip from the enc Firmware files?
diddyfan2pac
DD-WRT Novice


Joined: 19 Nov 2012
Posts: 3

PostPosted: Tue Jan 01, 2013 16:15    Post subject: Reply with quote
Sergius14 wrote:
Can somebody explain a little more about how to get and compile buffalo-enc.c and also how/what to strip from the enc Firmware files?

Seems that everyone keeps the secret...
RRuo58
DD-WRT Novice


Joined: 10 Nov 2012
Posts: 2

PostPosted: Fri Jan 04, 2013 9:18    Post subject: Reply with quote
Sergius14 wrote:
Can somebody explain a little more about how to get and compile buffalo-enc.c and also how/what to strip from the enc Firmware files?


Here is little more.
buffalo-enc.c is in OpenWrt sources and You need binary file editor to see Start Sections in an .enc file.
gstammw
DD-WRT Novice


Joined: 17 Oct 2008
Posts: 6

PostPosted: Thu Apr 04, 2013 19:53    Post subject: reverting openwrt to ddwrt on Buffalo WZR-HP-G450h Reply with quote
Hello,

I have backed up /dev/mtdblock0 to /dev/mdtblock8 on the original buffalo-branded DD-WRT of the WZR-HP-G450H.
The backups are 8 files on a usb-stick and the mtd-layout of the buffalo-fw looks like this:
root@DD-WRT:/dev# cat /proc/mtd
dev: size erasesize name
mtd0: 00050000 00010000 "RedBoot"
mtd1: 01f80000 00010000 "linux"
mtd2: 00c97000 00010000 "rootfs"
mtd3: 011f0000 00010000 "ddwrt"
mtd4: 00010000 00010000 "nvram"
mtd5: 00010000 00010000 "FIS directory"
mtd6: 00010000 00010000 "board_config"
mtd7: 02000000 00010000 "fullflash"
mtd8: 00010000 00010000 "uboot-env"


After that I had installed openwrt on the router but was not satisfied and want to REVERT TO THE BUFFALO-STOCK-FW. How can I do that when I can not get a unencrypted fw?
The buffalo-stock-MTD1 looks like this:
"root@DD-WRT:/dev# cat /dev/mtd1ro | more
'V#ƓM?{n?x? ?aP[{?nMIPS Linux Kernel Imagem??,?@?(,ml6???F?????O3<j?nB?????m???????Iv??v`Ioʒi????W?d???[ћ??o?l?@?s??????jS=Q?K???.?*5???N?TR`?D,)>\`3?E????[b~?y82~??4=??adi,yy }??6?hQ?1l???Fi???s?[f.?????yv{?bConfused?[Iĥ?"%7?0SCg,EFkJ?#d??*j?J????S?Gu???D{mw?,?)?9+????X?R??T,?Jt?X??{?(k?!?Px{K?qWC??^m|?r?????9Ik????^/K<??'p_?,?" and so on.


The problem is that the mtd-layout of openwrt has changed to this:
root@OpenWrt:/# cat /proc/mtd
dev: size erasesize name
mtd0: 01000000 00010000 "spi0.0"
mtd1: 01000000 00010000 "spi0.1"
mtd2: 00040000 00010000 "u-boot"
mtd3: 00010000 00010000 "u-boot-env"
mtd4: 00010000 00010000 "ART"
mtd5: 00100000 00010000 "uImage"
mtd6: 01e80000 00010000 "rootfs"
mtd7: 00020000 00010000 "user_property"
mtd8: 01f80000 00010000 "firmware"

How can I restore the captured DD-WRT-mtd-files on the router running OpenWRT from the shell (with ssh/telnet NOT from serial console)??

Thanks
silversilver11
DD-WRT Novice


Joined: 08 May 2012
Posts: 14

PostPosted: Fri Apr 05, 2013 1:16    Post subject: Reply with quote
Quote:
How can I restore the captured DD-WRT-mtd-files on the router running OpenWRT from the shell (with ssh/telnet NOT from serial console)??


You should be able to copy it to the www directory of the router and download it via a browser. Then TFTP it on router reboot, OpenWRT might even accept it from their firmware upgrade www page.
Luzie
DD-WRT Novice


Joined: 07 Apr 2013
Posts: 2

PostPosted: Sun Apr 07, 2013 9:56    Post subject: Unbrick WZR-HP-G450H possible w/o USB-Serial-Adapter ? Reply with quote
Hi,

can you please tell me, if I need to open my
bricked WZR-HP-G450H and using an USB-Serial-Adapter
for writing Firmware to it

or is it possible to flash a firmware without opening the case and losing guarantee ?

(My Buffalo WZR-HP-G450H only blinks DIAG LED twice an after trying an online Stock v1.85 to v1.86 update).

Regards,

Luzie
gstammw
DD-WRT Novice


Joined: 17 Oct 2008
Posts: 6

PostPosted: Sun Apr 14, 2013 17:37    Post subject: Reply with quote
silversilver11 wrote:

You should be able to copy it to the www directory of the router and download it via a browser. Then TFTP it on router reboot, OpenWRT might even accept it from their firmware upgrade www page.


Yeah but how can I do that.
If have captured the blocks using "dd if=/dev/mtd/0 > mtd0-file" and saved the files from mtd0-file to mtd8-file on a usb stick.
I have transferred these to my tftp-server but WHICH of these file shall I upload and how can I restore the original mtd-layout?

Thanks
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum