[solved] WZR-HP-G450H and TFTP original firmware

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
n0r1n0x
DD-WRT Novice


Joined: 31 May 2013
Posts: 1

PostPosted: Fri May 31, 2013 18:23    Post subject: Reply with quote
RRuo58 wrote:
Sergius14 wrote:
Can somebody explain a little more about how to get and compile buffalo-enc.c and also how/what to strip from the enc Firmware files?


Here is little more.
buffalo-enc.c is in OpenWrt sources and You need binary file editor to see Start Sections in an .enc file.


I'm posting this as a followup to the nightmare experience I've just had and conquered concerning the Buffalo wzr-hp-g450h router. First some praise: The router's signal strength doubled that of my prior router, and living in an apartment complex with about ~30 AP's around, this helped the dropped signals a lot from my laptop and desktop computers.

That being said, I eventually turned on my xbox 360 to find, lo and behold, it could not associate with the buffalo router. It's running firmware 24v2 20025 (ddwrt), with WPA2 Personal AES. Should be simple to connect my Xbox 360 to it. After several tries, I started googling, only to find that this particular router firmware might not let the xbox connect, and that one would have to revert to the buffalo "user friendly" firmware to get the xbox 360 connected.

I rejected this immediately, as I bought this router specifically for the DDWRT firmware, and decided to see if another firmware implementation could suffice. I loaded on OpenWRT, only to encounter the same issue with being unable to associate my xbox, and so I chalked it up to faulty hardware. Now the fun begins.

Since I was planning on returning it, I had to put the original firmware back on the unit, only to find that the openwrt flasher didn't recognize the .enc files provided by buffalo to be valid firmware images! After much searching, I came across this post, which only generally outlined how to unencrypt the firmware files, but provided no details despite the cries for help from other Buffalo customers in the same boat as me.

Well here they are:

1. Download the openwrt source files and look for buffalo-enc.c, buffalo-lib.c, and buffalo-lib.h.

2. Open buffalo-enc.c and add the line to the top:

#include "buffalo-lib.c"

3. Use whatever C/C++ compiler you want, but I used gcc:

gcc -o buffalo-enc.prog buffalo-enc.c

4. Now you have the decryption program, but you'll need to strip off the first "start" section of the firmware using a hex editor. I used wxhexedit 0.22 (0.21 has a bug that disallows saving truncated files). You must highlight and delete the first 208 bytes of the firmware file up to the second "start" word in the file.

5. After saving this, run buffalo-enc.prog -d -i wzrhpg450h-pro-v24sp2-20025.enc -o decrypted.bin

6. This will produce feedback text in your terminal indicating the decryption was successful.

7. You may now use the Openwrt (or any firmware flash gui running from your router) and it won't complain of an invalid firmware image.

I hope this helps someone. I hope one day to see Buffalo's firmwares to become fully open. Seeing such functional hardware being mishandled by faulty software is a shame.
Sponsor
totsubo
DD-WRT Novice


Joined: 07 Sep 2009
Posts: 8

PostPosted: Sun Jun 02, 2013 0:50    Post subject: Reply with quote
n0r1n0x wrote:

5. After saving this, run buffalo-enc.prog -d -i wzrhpg450h-pro-v24sp2-20025.enc -o decrypted.bin

6. This will produce feedback text in your terminal indicating the decryption was successful.

7. You may now use the Openwrt (or any firmware flash gui running from your router) and it won't complain of an invalid firmware image.


First off a huge thank you nor1nox!

Could you expand on what the exact steps we need to do after #6 above? I'm not clear on what you need to do with the decrypted.bin file that gets generated. Is it as simple as using the web GUI and load decrypted.bin as a firmware update?

I'll give this a try later on tonight and report back!
totsubo
DD-WRT Novice


Joined: 07 Sep 2009
Posts: 8

PostPosted: Sun Jun 02, 2013 13:57    Post subject: Reply with quote
n0r1n0x wrote:

I'm not clear on what you need to do with the decrypted.bin file that gets generated. Is it as simple as using the web GUI and load decrypted.bin as a firmware update?

I'll give this a try later on tonight and report back!


I ran the decryption program and got this output:

Code:

$ ./buffalo-enc.prog -d -i wzrhpg450h-pro-v24sp2-20025-2.enc -o decrypted.bin
Magic      : 'start'
Seed      : 0xc8
Product      : 'WZR-HP-G450H'
Version      : '1.86'
Data len   : 15024128
Checksum   : 0xd7b30075


I then tried to upload this using the stock firmware update web page that coms with the router. Unfortunately I got this error message:

ファームウェアデータが正しくありません。再起動します。

Basically this says that the firmware was not valid and the router will reboot.

Shucks Sad
wpinegar
DD-WRT User


Joined: 09 Jul 2006
Posts: 55

PostPosted: Wed Jun 05, 2013 4:08    Post subject: Reply with quote
I had a similar situation and ended up with the following steps that worked well for me to revert a WZR-HP-G450H from running OpenWrt Attitude Adjustment back to the encrypted version of DD-WRT available directly from Buffalo's web site:

1. Download the factory default DD-WRT firmware from Buffalo's web site.
2. Strip-off the first 208 bytes from the 'wzrhpg450h-pro-v24sp2-20025.enc' file using the 'dd' linux command.
3. Run the 'buffalo-enc' as described in previous postings to create a unencrypted version of the DD-WRT firmware.
4. Use the standard OpenWRT 'sysupgrade' process to update to DD-WRT firmware.

If anyone needs it in the future I've posted the unencrypted version of DD-WRT 'wzrhpg450h-pro-v24sp2-20025.decrypted.bin' on Skydrive at the following location: http://sdrv.ms/11qGrlG
totsubo
DD-WRT Novice


Joined: 07 Sep 2009
Posts: 8

PostPosted: Wed Jun 05, 2013 4:40    Post subject: Reply with quote
wpinegar wrote:
I had a similar situation and ended up with the following steps that worked well for me to revert a WZR-HP-G450H from running OpenWrt Attitude Adjustment back to the encrypted version of DD-WRT available directly from Buffalo's web site:

...


Hi wpinegar and thanks for listing those steps.

Your case is pretty much the reverse of what I would like to do. You already have OpenWrt running and are reverting back to a Buffalo firmware.

I'm running the stock Japanese Buffalo firmware and I want to install OpenWrt.

Is your router a Japanese model? If so can I ask you to post instructions on how you got OpenWrt installed on it? I'd be forever grateful!

PS Why did you decide to revert from OpenWrt back to the stock Buffalo firmware? Was OpenWrt missing some functionality?
wpinegar
DD-WRT User


Joined: 09 Jul 2006
Posts: 55

PostPosted: Wed Jun 05, 2013 5:08    Post subject: Reply with quote
If you want to upgrade to OpenWRT Attitude Adjustment (or later), I would recommend that you upgrade from the Japanese stock firmware to DD-WRT and then from there the upgrade instructions to OpenWRT are pretty simple and available from the OpenWrt Wiki referenced below. The reason we wanted to restore back to DD-WRT from OpenWrt was simply because our testing efforts with the latest builds of OpenWrt had been successful and we were simply restoring the router to the factory defaults.

Anyway, here are the instructions to upgrade to DD-WRT (Pro firmware) from Buffalo friendly firmware followed by a link to the appropriate OpenWrt Wiki to upgrade from DD-WRT to OpenWrt.

This steps below are taken directly from the instructions provided on Buffalo's web site in the DD-WRT download ZIP file:

User friendly Firmware -> Professional Firmware

1.When the login prompt appears, enter "root" for the username and leave the password field blank. Note: if you configured a password, enter the password that you configured.

2.Click "Update AirStation Firmware" at the top of the screen.

3.Click "Browse" to the right of "Firmware File Name" and browse to the extracted firmware file with the form "wzrhpg450h-pro-v24sp2-***.enc" (where *** is the version number). Click "Update Firmware".

4.During the firmware update, the Diag LED will flash for about 5 minutes. When the update is complete, the LED will turn off. Do not turn off the AirStation until the firmware update is complete. If the unit is unplugged while the Diag LED is still flashing, the AirStation may be damaged.

5.Please proceed to next step, "Firmware Version Confirmation".

Firmware Version Confirmation
1.To open the setup screen, refer to steps 1 to 3 of "How to update the firmware" above.

2.To see Router Information, please click the "Status" tab at the top of the screen.

3.Confirm that the Firmware Version is "build 20025".

Upgrade to OpenWRT

1. Follow the steps outlined in the OpenWrt Wiki to upgrade from DD-WRT to the latest build of OpenWrt. http://wiki.openwrt.org/toh/buffalo/wzr-hp-g450h#migrate.from.dd-wrt.to.openwrt
wpinegar
DD-WRT User


Joined: 09 Jul 2006
Posts: 55

PostPosted: Wed Jun 05, 2013 5:39    Post subject: Reply with quote
If you would like alternate instructions for moving from the stock Buffalo friendly firmware to OpenWrt then the following should work. I haven't tested this personally but in theory the process 'should' work:

1. Download the latest 'sysupgrade' build of OpenWrt for your Buffalo router.
2. Run the 'buffalo-enc' utility referenced above, but encrypt the file instead of decrypting it. The command will be similar to the following:
Code:
buffalo-enc -m 'start' -p 'WZR-HP-G450H' -v '12.09' -i openwrt-ar71xx-generic-wzr-hp-g450h-squashfs-sysupgrade.bin -o openwrt-ar71xx-generic-wzr-hp-g450h-squashfs-sysupgrade.enc

3. Use the 'update airstation firmware' option in the webui of the Buffalo factory firmware to update to the encrypted version of the OpenWrt firmware.

To make this process easier I've uploaded an encrypted version of the OpenWrt Attitude Adjustment 12.09 firmware onto Skydrive at the following URL. This should upload through the standard 'update airstation firmware' in the factory firmware: http://sdrv.ms/11XnPeX
totsubo
DD-WRT Novice


Joined: 07 Sep 2009
Posts: 8

PostPosted: Wed Jun 05, 2013 5:55    Post subject: Reply with quote
Hi wpinegar and thank you for the posts.

You instructions seem good but I think you missed the part where I said my router what the "Japanese" model Smile (One difference for example is that default user ID for the web interface is 'admin', not root, and the default password is 'password')

I don't know what it is but there is something about the Japanese model that disables installing dd-wrt (or even the Buffalo pro firmware from the US) using the web interface.

Trying to install the firmware gives this error message:

ファームウェアデータが正しくありません。再起動します。
wpinegar
DD-WRT User


Joined: 09 Jul 2006
Posts: 55

PostPosted: Thu Jun 06, 2013 4:51    Post subject: Reply with quote
Alright, so you appear to have an issue specific to the Japanese units. From reviewing other forum posts on Buffalo routers manufactured for the Japanese market there appears to be an 'ubootenv set region' command that you need to run to change the router form the 'JP' to the 'US' market. Once that is done you should be able to flash an appropriate 'US' firmware without issue.

I did visit the Japanese Buffalo web site and downloaded the Japanese version of the WZR-HP-G450H firmware and confirmed that the Japanese firmware is encrypted using the same process as the US firmware, but after decrypting the firmware I could also see that there is a 'JP' string starting at position 0x22 in the header which could be checked during a firmware upgrade to confirm that the firmware was written for the correct region.

Take a look at the following thread and see if any of this works for you. Specifically it appears that you need to enable telnetd on the router via a hidden web page to run the appropriate ubootenv commands.
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=747357

There should be no problems updating a Japanese unit to the US "friendly" firmware or even DD-WRT once you set the ubootenv setting correctly. I have verified that they are all encrypted and use the same style of 208-byte header.
totsubo
DD-WRT Novice


Joined: 07 Sep 2009
Posts: 8

PostPosted: Thu Jun 06, 2013 5:01    Post subject: Reply with quote
wpinegar wrote:
... there appears to be an 'ubootenv set region' command that you need to run to change the router form the 'JP' to the 'US' market. Once that is done you should be able to flash an appropriate 'US' firmware without issue.

I did visit the Japanese Buffalo web site and downloaded the Japanese version of the WZR-HP-G450H firmware and confirmed that the Japanese firmware is encrypted using the same process as the US firmware, but after decrypting the firmware I could also see that there is a 'JP' string starting at position 0x22 in the header which could be checked during a firmware upgrade to confirm that the firmware was written for the correct region.

Take a look at the following thread and see if any of this works for you. Specifically it appears that you need to enable telnetd on the router via a hidden web page to run the appropriate ubootenv commands.
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=747357

There should be no problems updating a Japanese unit to the US "friendly" firmware or even DD-WRT once you set the ubootenv setting correctly. I have verified that they are all encrypted and use the same style of 208-byte header.


Thanks for the follow up!

I've tried before to set the uboot region variable to US (like the link you posted suggests) but that didn't work. I have a feeling that the newer Japanese models don't look at that var and are actually hard-coded to use 'JP' and bypass the uboot setting.

Great work on identifying the 'JP' at position 0x22 though! That might be what I need. I'll try editing the US version and changing whatever is at 0x22 to JP and loading that.

I'll report back as soon as get home and give this a try Smile

PS Once I edit the US version and add 'JP' to 0x22, do you think I will need to re-encode before uploading? If I need to re-encode will using the default key ('Buffalo' I think it is) work?
wpinegar
DD-WRT User


Joined: 09 Jul 2006
Posts: 55

PostPosted: Thu Jun 06, 2013 13:14    Post subject: Reply with quote
You may need to reboot the router after changing any of the ubootenv settings. It's possible that once you run 'ubootenv set accept_open_rt_fmt' you may be able to flash any firmware, whether it's encrypted or not.

It looks like the 'JP' that I spotted at position 0x22 may only be an artifact. You'll need to strip-off the first 'start' header on the original Japanese firmware by removing the first 208 bytes from the file, then you'll have the second 'start' header and a file which you can decrypt using the buffalo utilities. If you look in the buffalo-lib.h in the OpenWRT sources there is a reference to both region and language in the buffalo_tag header...

You could try looking for a ubootenv setting that indicates the language as well. It's possible that this setting needs to match the firmware...
wpinegar
DD-WRT User


Joined: 09 Jul 2006
Posts: 55

PostPosted: Thu Jun 06, 2013 17:42    Post subject: Reply with quote
Here is an excerpt from buffalo-lib.h that shows the buffalo_tag header. Based on this region_code would start at position 0x50 within the header and language several bytes after that...the header is also encrypted (until you decrypt it)...it's just crazy...

#define TAG_BRAND_LEN 32
#define TAG_PRODUCT_LEN 32
#define TAG_VERSION_LEN 8
#define TAG_REGION_LEN 2
#define TAG_LANGUAGE_LEN 8
#define TAG_PLATFORM_LEN 8
#define TAG_HWVER_LEN 4
#define TAG_HWVER_VAL_LEN 4

struct buffalo_tag {
unsigned char product[TAG_PRODUCT_LEN];
unsigned char brand[TAG_BRAND_LEN];
unsigned char ver_major[TAG_VERSION_LEN];
unsigned char ver_minor[TAG_VERSION_LEN];
unsigned char region_code[2];
uint32_t region_mask;
unsigned char unknown0[2];
unsigned char language[TAG_LANGUAGE_LEN];
unsigned char platform[TAG_PLATFORM_LEN];
unsigned char hwv[TAG_HWVER_LEN];
unsigned char hwv_val[TAG_HWVER_VAL_LEN];
uint8_t unknown1[24];

uint32_t len;
uint32_t crc;
uint32_t base1;
uint32_t base2;
uint32_t data_len;
uint8_t flag;
uint8_t unknown2[3];
} __attribute ((packed));
hancox
DD-WRT Novice


Joined: 13 May 2007
Posts: 36

PostPosted: Fri Jun 07, 2013 18:25    Post subject: Reply with quote
...just wish the builds for this router would re-appear, already! I don't want Open-WRT! Smile
Sergius14
DD-WRT Novice


Joined: 24 Jan 2012
Posts: 2

PostPosted: Fri Aug 02, 2013 0:26    Post subject: Reply with quote
GENIUS !!!!

I successfully recovered my router from OpenWRT. Now my router has Buffalo DD-WRT again.


Many thanks for the help!


n0r1n0x wrote:
RRuo58 wrote:
Sergius14 wrote:
Can somebody explain a little more about how to get and compile buffalo-enc.c and also how/what to strip from the enc Firmware files?


Here is little more.
buffalo-enc.c is in OpenWrt sources and You need binary file editor to see Start Sections in an .enc file.


I'm posting this as a followup to the nightmare experience I've just had and conquered concerning the Buffalo wzr-hp-g450h router. First some praise: The router's signal strength doubled that of my prior router, and living in an apartment complex with about ~30 AP's around, this helped the dropped signals a lot from my laptop and desktop computers.

That being said, I eventually turned on my xbox 360 to find, lo and behold, it could not associate with the buffalo router. It's running firmware 24v2 20025 (ddwrt), with WPA2 Personal AES. Should be simple to connect my Xbox 360 to it. After several tries, I started googling, only to find that this particular router firmware might not let the xbox connect, and that one would have to revert to the buffalo "user friendly" firmware to get the xbox 360 connected.

I rejected this immediately, as I bought this router specifically for the DDWRT firmware, and decided to see if another firmware implementation could suffice. I loaded on OpenWRT, only to encounter the same issue with being unable to associate my xbox, and so I chalked it up to faulty hardware. Now the fun begins.

Since I was planning on returning it, I had to put the original firmware back on the unit, only to find that the openwrt flasher didn't recognize the .enc files provided by buffalo to be valid firmware images! After much searching, I came across this post, which only generally outlined how to unencrypt the firmware files, but provided no details despite the cries for help from other Buffalo customers in the same boat as me.

Well here they are:

1. Download the openwrt source files and look for buffalo-enc.c, buffalo-lib.c, and buffalo-lib.h.

2. Open buffalo-enc.c and add the line to the top:

#include "buffalo-lib.c"

3. Use whatever C/C++ compiler you want, but I used gcc:

gcc -o buffalo-enc.prog buffalo-enc.c

4. Now you have the decryption program, but you'll need to strip off the first "start" section of the firmware using a hex editor. I used wxhexedit 0.22 (0.21 has a bug that disallows saving truncated files). You must highlight and delete the first 208 bytes of the firmware file up to the second "start" word in the file.

5. After saving this, run buffalo-enc.prog -d -i wzrhpg450h-pro-v24sp2-20025.enc -o decrypted.bin

6. This will produce feedback text in your terminal indicating the decryption was successful.

7. You may now use the Openwrt (or any firmware flash gui running from your router) and it won't complain of an invalid firmware image.

I hope this helps someone. I hope one day to see Buffalo's firmwares to become fully open. Seeing such functional hardware being mishandled by faulty software is a shame.
cassioac
DD-WRT Novice


Joined: 26 Apr 2007
Posts: 7

PostPosted: Thu Mar 06, 2014 7:53    Post subject: same here Reply with quote
totsubo wrote:
Hi wpinegar and thank you for the posts.

You instructions seem good but I think you missed the part where I said my router what the "Japanese" model Smile (One difference for example is that default user ID for the web interface is 'admin', not root, and the default password is 'password')

I don't know what it is but there is something about the Japanese model that disables installing dd-wrt (or even the Buffalo pro firmware from the US) using the web interface.

Trying to install the firmware gives this error message:

ファームウェアデータが正しくありません。再起動します。


Hi totsubo, I have the exact same problem and already went through all your same steps without success, did you ever succeed in switching the war-450hp firmware to english?

Best Regards,

Cassio
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum