[KeithO]

Hello Everyone!

I have managed to get the Buffalo WCR-GN flashed with DD-WRT and I'm posting all
of the information here in the hope that it will help others. Also, I'm a long
time user of DD-WRT and I want to give back to the community.

There are other topics in this forum that discuss
details on flashing DD-WRT onto a WCR-GN, but I found
the information fragmented across many posts and topics. Some of the information was wrong. To all
who provided details and information I have used
many thanks!

First, before we proceed:

The instructions below may BRICK YOUR DEVICE. In other words, it may stop doing anything
useful! proceed at your own risk! Please don't blame if things go wrong!

1. INTRODUCTION
I started by asking Buffalo tech support if they could assist me in flashing DD-WRT via
the web interface provided by the firmware that ships with the unit. Below is the exchange
that occurred between the helpful Buffalo tech support person and myself:

Re: [Ticket#2013010210006759] Contact Form: Keith XXXXX

Buffalo Tech Support info@buffalotech.com via xxxxxxxx
Jan 3 (5 days ago)

to keith

As we do not provide a version of our DD-WRT firmware for this unit, we are unable to
assist with voiding the router's warranty by flashing of our routers to non-Buffalo
DD-WRT. My apologies for any inconvenience this may cause.

Thank you,

Cristen

Buffalo Technical Support <info@buffalotech.com>
Visit The Buffalo Forums - http://forums.buffalotech.com/
Technical support is provided to customers in US and Canada.
Telephone Support: (866) 752-6210


01/02/2013 21:50 - wrote:

Area of Interest: Technical Support
First Name: Keith
Last Name: XXXXXXX
Email: keith@XXXXXXXX
Buffalo Product: Wireless Networking
Operating System: Linux
Connection Type: Wireless
How may we assist you?
I have several Buffalo WCR-GN wireless routers. I wish to install DD-WRT on them
and while there is a DD-WRT build for this router, the router refuses to accept
the update via the Buffalo web interface on the router. Some online have hinted
that the Buffalo firmware that ships with the router requires firmwae updates
to be encrypted. Is this true? Do you have any technical information that would
assist those of us who wish to use DD-WRT on th WCR-GN?

Thanks,
Keith

Keith XXXXXXX <keith@xxxxxxx>
Jan 7 (1 day ago)

to Buffalo
Cristen,
No trouble, I'll just have to do it myself. I am a degreed electrical engineer
who designs computers for a living. I will, of course, post instructions on the net
so others who wish to reprogram their routers can do the same. I'll make sure to
post the data in as many forums as possible, along with your most helpful reply
on this matter.

best regards,
Keith XXXXXX.


Well I am a man of my word, so here we go!

2. HARDWARE
I have attached several photos of the unit in various
stages of disassembly and modification.

3. FLASHING DD-WRT
First I tried flashing DD-WRT using the Buffalo firmware web interface. I could
not get that to work. Searching on the net I found posts from others that speculated
that Buffalo encrypts their fimware somehow and this flashing DD-WRT via the web
interface would not work. There are also posts that mention a serial console
interface and the ability to use the serial interrface to flash DD-WRT via the router's
bootloader. Turn's out that's the way that DD-WRT needs to be flashed the first time.

3.A PREPARE THE ROUTER
In order to access the serial port, you need to take apart the router, locate the
JP1 connector and install pins in order to attach a serial cable. Refer to the attached photos. There
are two screws under the gray rubber feet. Gently
lift the rubber feet and save then to stick on later.
The screws are the Torx style (like that's going to stop anyone). Once you have the screws out, gently pry the case halves apart to access the circuit board.

You are going to need a serial cable. I used a USB to TTL serial cable that I
bought from Amazon:
PL2303HX USB to TTL to UART RS232 COM Cable module Converter
http://www.amazon.com/PL2303HX-RS232-Cable-module-Converter/dp/B008AGDTA4/ref=sr_1_1?s=electronics&ie=UTF8&qid=1357713673&sr=1-1&keywords=PL2303HX+USB+to+TTL+to+UART+RS232+COM+Cable+module+Converter

3.B ATTACHING THE CABLE
Refer to the attached photos to see the JP1 serial
connector pins identified and a photo of the USB
TTL serial connector connected to the WCR-GN.

NOTE: The cable needs to have TTL voltage levels, NOT RS-232 levels!

NOTE: If you have a different cable, you can use a voltmeter to determine which pin
on your serial cable is is the "TX Data" pin. Measure the voltage between the GND pin
of you cable (that's the black wire for my cable) and each of the data pins. The
pin with 3.3 volts on it is the "TX Data" pin. The TX Data pin on your cable goes to the
"RX Data" pin on the WCR-GN JP1 connector.

Strictly speaking, you don't have to do it the way I describe if you want to attach the serial cable a
different way.

3.C SETTING UP THE TERMINAL COMMUNICATIONS PROGRAM
I flashed the WCR-GN using the Kermit terminal communications program and Linux, so
the instructions below are Linux specific.

Here is the command file for Kermit:

[KeithO]

Would be nice if the attachment limit was higher.

[ruben00]

If you still have one of these routers with the original firmware, and a serial console, maybe you can get to the busybox command line and look for the encryption bynary, maybe bcrypt, or whatever they call it.

I figure if the firmware is encrypted, it first needs to decrypt it before it loads it into memory

once decrypted, we can probably break down the header/data part of the buffalo firmware and replace it with DD-WRT so it can be flashed via the Web GUI

[tigers2007]

Keith - have you played around with the actual DD-WRT yet? I just saw in this post http://www.dd-wrt.com/phpBB2/viewtopic.php?t=153874&highlight=wcrgn that it wasn't working out well. I don't know if that guy used the special WCR-GN version that you link to though.

[c0sm0ski]

Hi can You help me with understanding this ?
When my u-boot start i cannot choose other number in menu.
Automatically number 3 is selected so i cannot upload new firmware over tftp...

U-Boot 1.1.3 (Aug 11 2011 - 07:36:57)

Board: Ralink APSoC DRAM: 16 MB
relocate_code Pointer at: 80fb4000
spi_wait_nsec: 21
spi device id: c2 20 16 c2 20 (2016c220)
find flash: MX25L3205D
raspi_read: from:30000 len:1000
.*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 3.5.0.0
--------------------------------------------
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping
DRAM_TYPE: SDRAM
DRAM_SIZE: 128 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 16 MBytes
Flash component: SPI Flash
Date:Aug 11 2011 Time:07:36:57
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

##### The CPU freq = 360 MHZ ####
estimate memory size =16 Mbytes
--->Set rt305x Gpio falsh, added by luowl for w150m, 20091014
.............................

Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.

You choosed 3
0

3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40
. Image Name: 3G150M_SPI Kernel Image
Created: 2013-01-18 1:46:10 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 2467205 Bytes = 2.4 MB
Load Address: 80000000
Entry Point: 80401000
raspi_read: from:50040 len:25a585
...................................... Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80401000) ...
## Giving linux memsize in MB, 16

Starting kernel ...
ŕpÇpđpÇp?ţ8př8
đ˙
Ç~ppç
ŕpŔ
Ŕpç0|ppÇpçppçsÇ
ŕ


And after this my router freeze...

Regards!
Chris

[aximpda-dd]

May be because the USB SERIAL CABLE to poor work .in the other USB SERIAL CABLE have to try.

[KeithO]

[KeithO]

[aximpda-dd]

Sometimes they would not see the AP at all.Think this problem has plagued with dd-wrt.If using a programmer to write the firmware.WIFI is fairly stable.

[sukanaqin]

KeithO,

Thank you for confirming the details on your setup. Wondering as you might
be able to publish those pics somewhere and paste a link here ?

Thanks !!!!


EDIT UPDATE: Look at that .... one needs to login to see the photos ))))

nm

[sukanaqin]

Ok, so for everyone who follows this thread, I can confirm that the firmware does load and run (minus wifi) which I dont mind as i have other wifi routers for this.

I circled around a solution to get the firmware loaded for a few days, bought way too many cables and pins and connectors and stuff (didnt but they cable that KeithO points too, perhaps that would have saved me a bundle, yes, it would have)

What I ended up with that worked was an osepp FTDI USB to serial breakout board that did the job quite nicely. Its a 3.3V/5V jumpered option ( choose 3.3v). See the image above, the VCC power cable is not connected and not
used.

I bought some header pins which I soldered onto the side pins of the FTDI at GND,TXD and RXD. Soldered pins into the TTL pins as per keith0 mapping above, and ready-made cable connected the pins as per the mapping above.

I have three WCR-GN, and the first one I upgraded to v1.08 firmware off of the buffalo website ....

DONT DO THIS.

My three routers came with V1.04 pre-installed, which kicks to the serial console right out of the gate. V1.08 appears to have dumped the serial
console or changed up com speeds as I get absolutely no output on boot
and when it does start talking (about 3 mins in) it dumps what appears to
be some other speed setting or character dump.

So I was able to flash two right out of the box, the third now at v1.08 may
have to stay that way unless anyone can advise how I get the door open to
the console connection such that I might wipe the nvram and reload
original firmware, which may/may not restore the serial console.

An additional item, one still must have a TFTP server setup as the router
polls the PC for this via the serial connection and pulls down the file.
Its not a push from the PC. Anyone having flashed before and wants to
correct or add any additional information to this thread please do.

Again, great instructions and key for me getting this router upgraded to
dd-wrt. thank you thank you thank you.

[telserv]

[LOM]

[bigbuffalo]

After searching on internet over months and making many trials with pain, I finally get dd-wrt to work with wifi signal on my WCR-GN router. I try to share my finding and observation here. Perhaps others may try if encounter the same problem.

I tried with different dd-wrt build on my WCR-GN router with v1.08 firmware. As reported by others in many threads, the wifi was not working at all. No wifi signal was detected from router. The router did not receive wifi signal as adjacent AP was not found when pressing “site-survey” button or “Wiviz” button on web GUI.

Last week, I found a threat www.right.com.cn/forum/thread-149466-1-1.html and made a trial (on the latest 20141222-r25697 build I lastly flashed) according to the instructions:
1. download the “mtbk.bin” file from that thread and change the MAC address at location indicated on the thread.
2. enable SSH and send the file to router /tmp folder with WINSCP
3. issue the command: cat /tmp/mtbk.bin > /dev/mtdblock2 on router through telnet
4. restore the factory default setting to erase nvram & reboot

When I checked the router MAC address with web GUI, I discovered that dd-wrt showed 2 diffferent MAC addresses (only different in last digit), one for WAN, and another for LAN & Wireless. I tried the Wireless MAC on “mtbk.bin” file. There was still no wifi signal after router reboot. dd-wrt also reported the same 2 different MAC addresses.

I then tried to change the MAC address in “mtbk.bin” file with WAN one and performed the above step 2~4 again. After restoring the factory default setting, strong wifi signal was detected. Adjacent AP can be found when “site-survey” button on web GUI was pressed. dd-wrt reported one MAC address for WAN, LAN and Wireless. wifi on my WCR-GN was working immediately.

I then tried to change the MAC address in “mtbk.bin” file back to the original Wireless one and performed above step 2~4 again. dd-wrt reported again 2 different MAC addresses, but strong wifi signal still can be detected. I forgot to make a backup copy of mtdblock2 from router before change. There is no way for me now to return to find the different in the download file and the original one in the router.

However, when the “Wiviz” button on web GUI is pressed, the wireless LED turns off, and the wifi signal from WCR-GN totally disappears. Although the wireless LED turns on again 1~2 second later, the wifi signal was not restored even after exiting “Wiviz” unless the router is reboot.

Finally, there remains a problem with WCR-GN I need to solve. When I tried with dd-wrt 2013-04-19-r21061 and later build, the LAN is not stable, disconnect and connect again very often. The web GUI showed that the CPU model is detected being Ralink RT3350 id:1 rev:2 and set the CPU clock to 384MHz. This was also shown through TTL serial. Once the boot up log shows CPU clock set to 384MHz, unreadable characters are shown and no command can be entered through TTL serial.

For 2013-02-11-r20675 build and before, the CPU clock is left at 320MHz (same speed as boot up before kernel start) and there is no LAN unstable problem (although the wifi is not working). Complete boot up log was displayed and command can be entered through TTL serial.

The CPU datasheet stated the clock is only 320MHz. The SDRAM on my WCR-GN is EM639165TS-6G. The datasheet indicates that the max frequency is only 166MHz. The unstable is suspected due to CPU overclocking and exceeding SDRAM frequency limit. I would like to set the CPU speed back to 320MHz. I had tried “nvram set clkfreq=” command, but the CPU clock remains 384MHz. There is no “clkfreq” entry with “nvram show” command. Can anyone help with this?