[the1williegeorge]

Yesterday, I revived a semi-bricked WRT310N v2 that was stuck in management mode after a failed attempt to install DD-WRT. I didn't find anyone else that had posted the procedure that I ended up using, so I'm posting it in hopes that it can help someone else.

On this router, management mode would not accept ANY firmware, including the Linksys stock one, from ANY browser (and I tried several browsers on several OSes, including IE8 on XP). Using tftp and quick timing, I could get it to accept a firmware, but it would always go back to management mode whether simply power cycled or 30-30-30 reset.

Forum posts implied that a serial connection was my only hope. Then I noticed that the management mode links for reboot and nvram erase looked like the do.htm page was sending command line instructions. Putting "ping 192.168.1.23" after the "cmd=" resulted in the router sending a ping packet to my laptop. (I was watching with Wireshark.) So I decided to try the serial console commands. Using the recommended "flash -ctheader : flash1.trx" command, the router would start the tftp connection, but Wireshark showed the "code pattern incorrect" error. Then I tried the "-noheader" variant just to see. This resulted in the router accepting most any firmware file via tftp. I sent everything from stock, to DD-WRT to tomato. However, it always then returned to management mode.

After quite a bit more searching and trying various combinations of commands (over the course of 24 hours), the one that wound up working was:

erase nvram;flash -noheader : flash1.trx;mtd unlock linux;mtd write flash1.trx linux;nvram commit

which I URL-encoded and appended to the cmd parameter to end up with:

http://192.168.1.1/do.htm?cmd=erase%20nvram%3Bflash%20-noheader%20%3A%20flash1.trx%3Bmtd%20unlock%20linux%3Bmtd%20write%20flash1.trx%20linux%3Bnvram%20commit

in my address bar. After entering that and sending a firmware file (actually sent a tomato build on accident when I meant to send the stock file), my ping started timing out then came back to TTL=64 instead of 100! A 30-30-30 got me into tomato's web interface, from which I "upgraded" to the stock firmware.

I now have a fully functional WRT310N v2 on the stock firmware. I hope this information helps someone else with a semi-bricked router.

[Murrkf]

This looks interesting...

[flipy]

Would be nice to put it on the wiki if it works for more routers.

[LOM]

[the1williegeorge]

I admit that, after several hours of trying, I just started adding commands. I acknowledge that some may have not been needed, but that was the command line that I had in the address bar when it started working. If any of you know which ones were actually the ones that did anything, please add that info here!

[t1er]

This method seems to get me closest to unbricking the WRT310N v2. The command link works and directly after sending the command, tftp will accept a firmware file. The pings go dark, but after 10-15 seconds, it comes back with TTL=100 still and nothing has changed. Any ideas?

[the1williegeorge]

I did unnecessary commands because I was guessing. This router was sour before I started trying random commands.

I would very much like someone who knows more to clean this up into a real procedure.

For the guy trying to unbrick the router, try sending the nvram commit part separately once it comes back at TTL=100 after taking the firmware. Leery me know how that goes.

[G33K]

A huge kudos to the1williegeorge for posting this!!!

My stock router is a WRT310Nv2-CC which would not accept the dd-wrt firmware despite following the wiki to the letter. After lots and lots of googling found out that the cause is possibly the "-CC" which from what I understand was a distribution by comcast, (surprisingly the local microcenter store had loads of these for dirt cheap but they all turned out to be -CC, seems comcast offloaded a bunch of these left overs)

Anyway, I followed the OP's instructions and running the command let me tftp firmware to the router. I tried a bunch of them, including the trailed firmware but in the end what worked was the the dd-wrt.v24-14929_NEWD-2_K2.6_std_nokaid_small.bin.

In hindsight, the other firmwares might have worked too but its possible that I didn't wait long enough after sending the firmware and for me the pings started timing out after sending the firmware and never came back, the last one I ended up waiting a whole 10 minutes before rebooting the router and lo and behold, I was in dd-wrt!!

For the record, the link/command I used was:
http://192.168.1.1/do.htm?cmd=nvram+erase%3Bflash+-noheader+%3A+flash1.trx%3Bmtd+unlock+linux%3Bmtd+write+flash1.trx+linux%3Bnvram+commit

I read the comments about the commands being mixed between cte and linux, not too savvy about that, point is, it worked for me even with the commands mixed up. This definitely would be useful on the wiki!

[the1williegeorge]

Glad I could help!

As to the mixed up commands, I still wish that someone with the system-level knowledge to decipher this would look over my original post and G33K's post and tell us which parts of it actually did something. Then maybe it would be clean enough to be useful in other research on these and maybe other routers.

[xyz100]

I just loaded my "CC" router with DD_WRT. Thanks the OP for ideas on how to do it. However the commands are not quite correct. No Linux commands are needed. What is important - the firmware version. Flashing dd-wrt.v24-14929_NEWD-2_K2.6_std_nokaid_small.bin is the key.

I did it over serial port. However it also can be done the way OP did it.

Prerequisites:
1. Router MUST be in CFE mode for it to work. The commands from the browser WILL NOT WORK if the router is not in CFE mode. The router with original firmware does NOT get into CFE mode automatically. I needed a serial connection to hit it with "Ctrl-C" when it boots to get to CFE mode. Once you screw-up the original firmware by bad flash the router will get to "Management Mode" in the browser which is equivalent to CFE mode.
2. Get dd-wrt.v24-14929_NEWD-2_K2.6_std_nokaid_small.bin firmware.
3. TFTP server running on PC with root directory containing item #2 firmware. I used TFTPD.


Procedure with serial connection:
1. Start TFTPD.
2. Apply power to the router. The terminal (115200 baud rate) will display CFE prompt.
3. Type ipconfig in CMD window. Get a note of your PC IP address. In my case it was 192.168.1.100
3. Type the command at the prompt followed with Return. Watch the router flash the firmware:

CFE> flash -noheader 192.168.1.100:dd-wrt.v24-14929_NEWD-2_K2.6_std_nokaid_small.bin flash1.trx
CMD: [flash -noheader 192.168.1.100:dd-wrt.v24-14929_NEWD-2_K2.6_std_nokaid_small.bin flash1.trx]
Reading 192.168.1.100:dd-wrt.v24-14929_NEWD-2_K2.6_std_nokaid_small.bin: _tftp_open(): retries=0/3
Stop to blink diag led ...Done. 3514368 bytes read, fname=(null)
Programming...done. 3514368 bytes written
*** command status = 0

4. Cycle power. You got yourself DD-WRT.


Notes: Other firmware apparently will not work. I tried trailed version first which screwed up the original firmware and made the access to CFE mode easier for me. The firmware above is the key to flashing CC routers.

Other commands are irrelevant. I did not even to 30-30-30 reset in the end just cycled power.

Good luck.

[the1williegeorge]

xyz100, I'm glad you got your router back up.

However, the linux commands in the address bar WERE necessary for the recovery of my router. I had tried your instructions with the exact firmware you mention (as well as many, many others) before i started down the linux commands portion of my adventure.

Most of the time, you are right, and merely flashing a specific firmware file can get you out of whatever situation you are in. Since that was definitely not the case for my router, I listed the other information here to provide additional things to try for those in a similar boat.

I still hope that someone who knows more about CFE mode will see all of this and sort out for us which commands actually did something and why.

[xyz100]

I did try to issue your commands from the browser. I watched the CFE interface and how the router took the commands. All "mtd" commands were reported as not supported.

May be they are supported on yours. On mine ("CC" version) they are not.

I also tried different firmware. With no luck. Until the version I mentioned. I bet your tomato version would work too. It would be great if you could tell us what version you used and where to get it.

Thanks.

[the1williegeorge]

Good to know that yours is the cc one. Mine isn't. Maybe that's the difference on the commands.

The tomato version that I used was the newest one that was for my router. I'll have to look at the laptop I used and see if I saved the file to see exactly what version it was.

[oswi239]