TP-Link Archer C9 Brick Fix (Revert To Stock Possibly)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3 ... 15, 16, 17  Next
Author Message
Aboshi
DD-WRT Novice


Joined: 19 Jun 2015
Posts: 47

PostPosted: Sat Jun 20, 2015 12:41    Post subject: TP-Link Archer C9 Brick Fix (Revert To Stock Possibly) Reply with quote
Hi Everyone,

Figured I would post this here to help some people if they Brick/Semi Brick their router. Just one thing, someone (or myself) will need to strip out the boot loader of the stock firmware if you want to revert to stock.

So this little adventure started when I got fed up with port forwarding not working what so ever with the latest builds of dd-wrt (even putting in the firewall rules it just wont work) Only fix was to shut off the firewall entirely and that is not an option...
So as everyone knows there is a recovery mode on pretty much every new broadcom based router and the Archer C9 is no exception. Now heres the thing, I will walk you all on how to get into recovery mode and flash a new FW through TFTP. Be warned though if you use a stock official firmware without a stripped boot loader you will brick! Only semi brick but still a brick none the less. So if you do this because you don't believe me or just want to test your luck heres how to flash a new FW in recovery mode.

If you have a Mac there is a native TFTP server built in, Windows download TftpD32, Linux just follow the guide.
OSX - http://www.macupdate.com/app/mac/11116/tftpserver
Windows - http://download.cnet.com/Tftpd32/3000-2085_4-10114225.html
Linux - https://linuxlink.timesys.com/docs/linux_tftp

It goes without saying you need a hard wire connection, plug into one of the Lan ports not the WAN.

1. Download a stripped stock firmware for the Archer C9 (make sure its is the current version you upgraded from to dd-wrt) or you will more than likely run into issues) At the time of this writing there is no stripped FW so you can test your luck with stock FW with boot loader and see if you have better luck than I did, but I highly doubt you will.

2. Rename the Firmware to archerc9v1_tp_recovery.bin

3. Set you ethernet address to 192.168.0.66 subnet 255.255.255.0 (the router will get an address of 192.168.0.86)

4. Place archerc9v1_tp_recovery.bin in your TFPT dir that you are serving out

5. Unplug your router, than hold the reset button on the back and plug the router back in. Hold the reset button for 2-4 seconds than let it go. All of the lights will light up after a short time (this is the firmware being downloaded from your TFTP)

6. If all goes well the router should reboot and all is well, if not the power light will blink slow a few times than rapidly blink.

7. At this point your either back on stock firmware or you just semi bricked because you didn't use a firmware with a stripped out boot loader.

8. If you now have the rapid flashing power light you are only semi bricked, I fixed this by renaming the latest dd-wrt beta to archerc9v1_tp_recovery.bin and re-flashed in recovery and I was back up and running in about 2 mins. At the time of this writing it was ftp://ftp.dd-wrt.com/betas/2015/06-19-2015-r27378/tplink_archer-c9/

So at this point we can only fix brick/semi bricks back to dd-wrt or if you bricked your official firmware this will get you back on track with official firmware (just remember it needs to be the exact version you had if official)
As soon as I get binwalk working correctly I will try to strip out the boot loader of all official stock images but don't hold your breath as I am very busy lately. Hopefully one of you can handle stripping the boot loader and people can revert back to stock.

Also if any of you have a fix for the port forward issue please let me know because it is a super annoying bug.
Sponsor
dchollet
DD-WRT Novice


Joined: 01 Jun 2011
Posts: 9

PostPosted: Sun Jun 21, 2015 23:46    Post subject: Reply with quote
Hi Aboshi.
This is exactly my situation. Recently made a tftp to unbrick my C9 after bad flash. Reflashed sucessfully a DD-WRT firmware without bootloader but I think it´s good to have the option to back to stock firmware when needed. Not sure about the exactly part of firmware that must be stripped on Broadcom routers like this C9. Also there are no Tp-Link firmware with *boot" in the filename available to download for the C9. Do you have the procedure to strip the bootloader for the C9 stock firmware?
Thanks in advance.

Daniel
Aboshi
DD-WRT Novice


Joined: 19 Jun 2015
Posts: 47

PostPosted: Tue Jun 23, 2015 17:08    Post subject: Reply with quote
There are a few ways to do it. One is binwalk and unpack the FW and than remove the bootloader and repack. Or you can hex it out but can be a little more time consuming looking for the section of the bootloader. Im sure there are references on how to strip out the bootloader if you're going to try to tackle it yourself.
You can even load it up in IDA and analyze it that way.
Aboshi
DD-WRT Novice


Joined: 19 Jun 2015
Posts: 47

PostPosted: Mon Jul 06, 2015 13:04    Post subject: Strings Reply with quote
I have attached a HexDump and Strings from the OFW Archer_c9_v1_150122

I was having issues extracting the lzma but using FMK I was able to extract the FW but binwalk isnt detecting the structure right (I think according to the strings I dump). I also used FMK to flash back the new FW I created within in dd-wrt gui and as a factory recover with tftp with ZERO success.
I believe I am not stripping the bootloader out fully. if anyone else can give this a shot please let me know how your luck goes. Here is a link the the firmware mod kit.
https://code.google.com/p/firmware-mod-kit/

I do suggest getting the latest binwalk source and compiling it and putting it in place of the one in FMK.



strings.txt
 Description:
Strings

Download
 Filename:  strings.txt
 Filesize:  9.86 KB
 Downloaded:  280 Time(s)


hex.txt
 Description:
HexDump

Download
 Filename:  hex.txt
 Filesize:  52.39 MB
 Downloaded:  489 Time(s)

condemnedxD
DD-WRT Novice


Joined: 06 Jul 2015
Posts: 1

PostPosted: Mon Jul 06, 2015 15:26    Post subject: Reply with quote
Can you please explain what you mean by set your ethernet address to 192.168.0.66? Are you talking about static IP address of the ethernet adapter?
mbursi
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 3

PostPosted: Tue Jul 07, 2015 9:59    Post subject: strings Reply with quote
HI Aboshi,

I tried the same path with binwalk, but with the same exact result you had (just different addresses since I used a different firmware).

I'll give a try to your suggestion tonight probably.
Please give an heads up if you have any luck.

Thanks for the effort on this.
mbursi
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 3

PostPosted: Tue Jul 07, 2015 13:08    Post subject: archer c9 firmware extraction Reply with quote
Hi Aboshi,

I managed to run fmk against a stock firmware using a later binwalk binary as you suggested.

What I am missing at the moment is how I can remove the bootloader part.
So the output of fmk is the following:
$ tree image_parts/
image_parts/
├── footer.img
├── header.img
└── rootfs.img

then in the fmk folder I also have the rootfs folder uncompressed:

$ ls rootfs/
bin dev etc lib mnt proc root sbin sys tmp usr var web

so in the image parts I don't see anything referring to the boot partition.

Any clue/hint?
dchollet
DD-WRT Novice


Joined: 01 Jun 2011
Posts: 9

PostPosted: Tue Jul 07, 2015 18:59    Post subject: Reply with quote
Good afternoon.
As I understand, the Tp-Link stock firmware with bootloader has the _boot_ in the firmware .bin file name. At present there is no such firmware to download for the C9. Please test using the D9 firmware, just to verify. The firmware path with _boot_ could be found at:
http://www.tp-link.com/en/handlers/download.ashx?resourceid=11587
mbursi
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 3

PostPosted: Wed Jul 08, 2015 12:32    Post subject: Reply with quote
Hi dchollet,

thanks for the info. I downloaded the D9 firmware and the output looks clear now.


Code:
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
147972        0x24204         LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 254004 bytes
263168        0x40400         LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3567520 bytes
1901056       0x1D0200        Squashfs filesystem, little endian, version 4.0, compression:lzma (non-standard type definition), size: 6871129 bytes,  540 inodes, blocksize: 131072 bytes, created: Thu May 14 09:01:01 2015
16515584      0xFC0200        TP-Link firmware header, firmware version: 0.0.0, image version: "ver.1.0.0", product ID: 0x89300000, product version: 1, kernel load address: 0x80010000, kernel entry point: 0x801D21E0, kernel offset: 0, kernel length: 766861, rootfs offset: 0, rootfs length: 1335296, bootloader offset: 0, bootloader length: 55120
16516096      0xFC0400        Broadcom 96345 firmware header, header size: 256, firmware version: "8", board id: "6318REF", ~CRC32 header checksum: 0xCC81F872, ~CRC32 data checksum: 0x9DE273A8
16525956      0xFC2A84        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 215504 bytes
16571536      0xFCDC90        Squashfs filesystem, little endian, non-standard signature,  version 4.0, compression:gzip, size: 1167343 bytes,  334 inodes, blocksize: 65536 bytes, created: Fri Apr 24 05:03:54 2015
17738908      0x10EAC9C       LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 2305276 bytes


So at this point the only solution is to wait for a "boot" firmware from TP-Link and strip out the bootloader section from that one.
I would avoid to strip out bootloader and Broadcom 96345 part from the firmware.
Aboshi
DD-WRT Novice


Joined: 19 Jun 2015
Posts: 47

PostPosted: Wed Jul 08, 2015 19:10    Post subject: Reply with quote
Im not to sure about the C9 FW not having the boot loader because if that was the case it would 100% flash in recovery mode either way.
After using FMK to unpack the FW you can see u-boot in the header.img as well in the strings dump. The only other theory I have is a signature in recovery, but with a stripped boot loader you would be able to flash right over dd-wrt within the gui.

I have attached the strings for the Archer D9 that was posted above and I see nothing referring to u-boot.



Archer_D9(UN_V1_141027-strings.txt
 Description:

Download
 Filename:  Archer_D9(UN_V1_141027-strings.txt
 Filesize:  8.36 KB
 Downloaded:  294 Time(s)

dchollet
DD-WRT Novice


Joined: 01 Jun 2011
Posts: 9

PostPosted: Wed Jul 08, 2015 23:31    Post subject: Reply with quote
Hi Aboshi, accordingly to Wikidev this router uses CFE 6.37.14.93 from Broadcom instead of U-Boot, commonly used with the Atheros based Tp-link routers.
https://wikidevi.com/wiki/TP-LINK_Archer_C9_v1.x
Aboshi
DD-WRT Novice


Joined: 19 Jun 2015
Posts: 47

PostPosted: Wed Jul 08, 2015 23:33    Post subject: Reply with quote
more complete wiki:
http://wiki.openwrt.org/toh/tp-link/archer-c9
kooper2013
DD-WRT Novice


Joined: 10 Jan 2013
Posts: 13
Location: DE

PostPosted: Thu Jul 09, 2015 15:19    Post subject: F/W with boot stripped Reply with quote
Not sure if you knew this site (not for C9, but for D9):

http://www.friedzombie.com/tplink-stripped-firmware/

This helped me to unbrick my TL-WR710N-v1 from a bad flash. It seems there is no way to contact friedzombie.

Oh, btw, followed this:
https://forums.openpilot.org/blog/52/entry-92-unbrick-wr703n-wifi-router/?st=20#commentsStart

These adresses are the same for the 710 (just in case that blog goes down):
Code:
hornet> tftpboot 0x81000000 openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin
hornet> erase 0x9f020000 +0x3c0000
hornet> cp.b 0x81000000 0x9f020000 0x3c0000
hornet> bootm 9f020000


From there it was easy to get DD-WRT on it again.

HTH and sorry for hijacking.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xTP710
Aboshi
DD-WRT Novice


Joined: 19 Jun 2015
Posts: 47

PostPosted: Thu Jul 09, 2015 19:11    Post subject: Re: F/W with boot stripped Reply with quote
kooper2013 wrote:
Not sure if you knew this site (not for C9, but for D9):

http://www.friedzombie.com/tplink-stripped-firmware/

This helped me to unbrick my TL-WR710N-v1 from a bad flash. It seems there is no way to contact friedzombie.

Oh, btw, followed this:
https://forums.openpilot.org/blog/52/entry-92-unbrick-wr703n-wifi-router/?st=20#commentsStart

These adresses are the same for the 710 (just in case that blog goes down):
Code:
hornet> tftpboot 0x81000000 openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin
hornet> erase 0x9f020000 +0x3c0000
hornet> cp.b 0x81000000 0x9f020000 0x3c0000
hornet> bootm 9f020000


From there it was easy to get DD-WRT on it again.

HTH and sorry for hijacking.


Were trying to get dd-wrt off
Heinzek
DD-WRT User


Joined: 07 Apr 2013
Posts: 59
Location: Poland

PostPosted: Sun Jul 12, 2015 8:37    Post subject: Reply with quote
Hi i prepare some recovery firmware.
If you have old tplink firmware then upgrade to openwrt - use old.

Try both firmware:
http://tplink-forum.pl/tp-link-od-srodka/archer-c9-3948/msg32329/#msg32329
Goto page 1, 2, 3 ... 15, 16, 17  Next Display posts from previous:    Page 1 of 17
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum