Hi friends. my router archer c9 v1 have the same problems of NoOneBR, don't start CFE( i'm using uart usb, tx-rx, rx-tx, gnd-gnd)and do not respond control-c, all lights blue. Please, help me.
When tried to flash the newest beta version r29621 from stock C9_V2_160315, the router ended up on a power loop.
I tried TFTP method to revert, using several different firmware version (DD-WRT and Stock), with no sucess !
My last chance is the UART method, but there isn't bin files available for CFE flash on V2 version.
chrisdmc wrote:
Latest DD-WRT firmware (01/25/2016) no longer overwrites TP-Link partitions, try first to revert to stock using TFTP method!
Please first read the entire post before attempting to flash.
Have got the black version of Archer C1900 from Costco and after flashing DD-WRT I was unable to revert to stock by using TFTP method. Although have figured out that the required file that the router was looking for was named ArcherC9v2_tp_recovery.bin, once the file is downloaded by the router, the file gets rejected by CFE.
Connecting with UART, the problem is that CFE ( bootloader) is reading the product-info partition to match the new firmware image against the product version of the router before attempting to flash it. DD-WRT overwrites product-info (as well as default-mac and pin) partitions making the revert to stock using TFTP method impossible.
Expect Archer C9 to have the same problem since the partition layout is identical.
Thanks to work already done by @Heinzek and @Aboshi I was able to create a revert to stock image that can be used directly from DD-WRT or from CFE to restore the stock firmware.
Yes, that means you do not have to open the router case when using the first method.
Must read before flashing:
WARNING: This is for Costco Archer C1900 (black case), not for Archer C9 (white case). For Archer C9 a similar approach can be used to create a similar image by using the original C9 firmware.
WARNING: This image will overwrite not only os-image and file-system partitions but also default-mac, pin, product-info, partition-table, soft-version, support-list, profile and default-config partitions. user-config, log, radio-bk, radio and CFE will not be touched (unless you do something wrong from the command line). As stated before, I have found that DD-WRT overwrites at least default-mac to product-info partitions and in my case since I have tried JFFS support, have found partition-table, soft-version and support-list overwritten with other data too.
Since DD-WRT was not stable on my router, having intermittent disconnects on WiFi, for now was best to revert to stock until DD-WRT will be changed to not overwrite the above partitions and also have the WiFi and JFFS2 problems fixed.
DISCLAIMER: Have already tried the image a few times and was able to return to stock by flashing from DD-WRT web interface. Once to stock, you can flash the original image from TP-LINK website using TP-LINK web interface. It would be best if somebody that has UART and already opened the router case as I did would confirm first the image works as expected on his router too. Use at your own risk.
After flashing from DD-WRT, do not forget to reset the router by pressing the hardware reset button until all the lights turn on. It might take 20-30 seconds until the router will be accessible after the reset. Reset will also help to restore the MAC and Pin baked in the image.
Always flash it using wired connection since it's expected to be more stable and less risky especially if you do not want to open the router and restore it using UART. In case the transfer fails before being complete you might get a brick device until you open it. Let DD-WRT complete the flash and reboot the router before attempting the hard-reset. Once done, you will have to change the IP address from 192.168.1.1 (DD-WRT) to 192.68.0.1 (TP-LINK) to connect to TP-LINK web interface.
How to use the revert image:
1. Just flash ddwrt-to-factory.bin as you flash a DD-WRT update (usually named archer-c1900-webflash.bin) from the DD-WRT web interface.
2. From CFE run the command line:
The mapping between the addresses on the router versus the ones in the image file:
01. partition os-image base 0x400000 size 0x200000 newbase 0x000000
02. partition file-system base 0x240000 size 0xc00000 newbase 0x200000
03. partition default-mac base 0xe40000 size 0x00200 newbase 0xe00000
04. partition pin base 0xe40200 size 0x00200 newbase 0xe00200
05. partition product-info base 0xe40400 size 0x00200 newbase 0xe00400
06. partition partition-table base 0xe50000 size 0x10000 newbase 0xe10000
07. partition soft-version base 0xe60000 size 0x00200 newbase 0xe20000
08. partition support-list base 0xe61000 size 0x0f000 newbase 0xe21000
09. partition profile base 0xe70000 size 0x10000 newbase 0xe30000
10. partition default-config base 0xe80000 size 0x10000 newbase 0xe40000
The image will set your MAC address to: AA-BB-CC-CC-BB-AA and the pin to something like: 12345670.
If you want to restore the MAC and pins that are written on your back of your router you have to hex edit ddwrt-to-factory.bin image using a hex editor and generate a new CRC32 code using the CRC32 small app attached, here are the instructions:
1. To change MAC, go to offset 0xe00000 in the image file, skip first 8 bytes (first 4 are for MAC address size and next 4 for padding) and change next 6 bytes from 'AA BB CC CC BB AA' to what ever is set on your router back.
2. To change Pin, go to offset 0xe00200 in the image file, skip the first 8 bytes (padding) and change the pin from 11111111 to what ever is set on your router back. In this case you have to edit the pin number as text (decimals) and not as hex values.
After making the changes you are not done. You need to run CRC32.exe on the modified image to generate a new CRC32 that you will overwrite on the image at offset 0x8. If this step is skipped, the image will not be accepted by DD-WRT due to mismatch between the content and the CRC value.
In this case you need to change '6E 58 26 69' with the code generated by CRC32 app.
To get the new CRC, run following command from the command prompt on the image that has the MAC and/or PIN already changed:
crc32 ddwrt-to-factory.bin 0xc
Once the old CRC32 is overwritten with the new one, save the file and use it to flash your router from DD-WRT web interface or from CFE if you have the UART and have open the router case.
If changing the MAC and Pin seems to hard, just use the default image and once you are in the TP-Link web interface just overwrite the MAC and Pin with desired values.
If CRC32 doesn't start, you might have to download and install Visual C++ Redistributable for Visual Studio 2015 (vc_redist.x64.exe).
When tried to flash the newest beta version r29621 from stock C9_V2_160315, the router ended up on a power loop.
I tried TFTP method to revert, using several different firmware version (DD-WRT and Stock), with no sucess !
My last chance is the UART method, but there isn't bin files available for CFE flash on V2 version.
chrisdmc wrote:
Latest DD-WRT firmware (01/25/2016) no longer overwrites TP-Link partitions, try first to revert to stock using TFTP method!
Please first read the entire post before attempting to flash.
Have got the black version of Archer C1900 from Costco and after flashing DD-WRT I was unable to revert to stock by using TFTP method. Although have figured out that the required file that the router was looking for was named ArcherC9v2_tp_recovery.bin, once the file is downloaded by the router, the file gets rejected by CFE.
Connecting with UART, the problem is that CFE ( bootloader) is reading the product-info partition to match the new firmware image against the product version of the router before attempting to flash it. DD-WRT overwrites product-info (as well as default-mac and pin) partitions making the revert to stock using TFTP method impossible.
Expect Archer C9 to have the same problem since the partition layout is identical.
Thanks to work already done by @Heinzek and @Aboshi I was able to create a revert to stock image that can be used directly from DD-WRT or from CFE to restore the stock firmware.
Yes, that means you do not have to open the router case when using the first method.
Must read before flashing:
WARNING: This is for Costco Archer C1900 (black case), not for Archer C9 (white case). For Archer C9 a similar approach can be used to create a similar image by using the original C9 firmware.
WARNING: This image will overwrite not only os-image and file-system partitions but also default-mac, pin, product-info, partition-table, soft-version, support-list, profile and default-config partitions. user-config, log, radio-bk, radio and CFE will not be touched (unless you do something wrong from the command line). As stated before, I have found that DD-WRT overwrites at least default-mac to product-info partitions and in my case since I have tried JFFS support, have found partition-table, soft-version and support-list overwritten with other data too.
Since DD-WRT was not stable on my router, having intermittent disconnects on WiFi, for now was best to revert to stock until DD-WRT will be changed to not overwrite the above partitions and also have the WiFi and JFFS2 problems fixed.
DISCLAIMER: Have already tried the image a few times and was able to return to stock by flashing from DD-WRT web interface. Once to stock, you can flash the original image from TP-LINK website using TP-LINK web interface. It would be best if somebody that has UART and already opened the router case as I did would confirm first the image works as expected on his router too. Use at your own risk.
After flashing from DD-WRT, do not forget to reset the router by pressing the hardware reset button until all the lights turn on. It might take 20-30 seconds until the router will be accessible after the reset. Reset will also help to restore the MAC and Pin baked in the image.
Always flash it using wired connection since it's expected to be more stable and less risky especially if you do not want to open the router and restore it using UART. In case the transfer fails before being complete you might get a brick device until you open it. Let DD-WRT complete the flash and reboot the router before attempting the hard-reset. Once done, you will have to change the IP address from 192.168.1.1 (DD-WRT) to 192.68.0.1 (TP-LINK) to connect to TP-LINK web interface.
How to use the revert image:
1. Just flash ddwrt-to-factory.bin as you flash a DD-WRT update (usually named archer-c1900-webflash.bin) from the DD-WRT web interface.
2. From CFE run the command line:
The mapping between the addresses on the router versus the ones in the image file:
01. partition os-image base 0x400000 size 0x200000 newbase 0x000000
02. partition file-system base 0x240000 size 0xc00000 newbase 0x200000
03. partition default-mac base 0xe40000 size 0x00200 newbase 0xe00000
04. partition pin base 0xe40200 size 0x00200 newbase 0xe00200
05. partition product-info base 0xe40400 size 0x00200 newbase 0xe00400
06. partition partition-table base 0xe50000 size 0x10000 newbase 0xe10000
07. partition soft-version base 0xe60000 size 0x00200 newbase 0xe20000
08. partition support-list base 0xe61000 size 0x0f000 newbase 0xe21000
09. partition profile base 0xe70000 size 0x10000 newbase 0xe30000
10. partition default-config base 0xe80000 size 0x10000 newbase 0xe40000
The image will set your MAC address to: AA-BB-CC-CC-BB-AA and the pin to something like: 12345670.
If you want to restore the MAC and pins that are written on your back of your router you have to hex edit ddwrt-to-factory.bin image using a hex editor and generate a new CRC32 code using the CRC32 small app attached, here are the instructions:
1. To change MAC, go to offset 0xe00000 in the image file, skip first 8 bytes (first 4 are for MAC address size and next 4 for padding) and change next 6 bytes from 'AA BB CC CC BB AA' to what ever is set on your router back.
2. To change Pin, go to offset 0xe00200 in the image file, skip the first 8 bytes (padding) and change the pin from 11111111 to what ever is set on your router back. In this case you have to edit the pin number as text (decimals) and not as hex values.
After making the changes you are not done. You need to run CRC32.exe on the modified image to generate a new CRC32 that you will overwrite on the image at offset 0x8. If this step is skipped, the image will not be accepted by DD-WRT due to mismatch between the content and the CRC value.
In this case you need to change '6E 58 26 69' with the code generated by CRC32 app.
To get the new CRC, run following command from the command prompt on the image that has the MAC and/or PIN already changed:
crc32 ddwrt-to-factory.bin 0xc
Once the old CRC32 is overwritten with the new one, save the file and use it to flash your router from DD-WRT web interface or from CFE if you have the UART and have open the router case.
If changing the MAC and Pin seems to hard, just use the default image and once you are in the TP-Link web interface just overwrite the MAC and Pin with desired values.
If CRC32 doesn't start, you might have to download and install Visual C++ Redistributable for Visual Studio 2015 (vc_redist.x64.exe).
Where/How I can get this file for C9 V2 ?
i have c9 v2, and i used files for v1, and it works. but now my archer accepts only v1 stock firmware, but it works great with dd-wrt (using optware)
i have c9 v2, and i used files for v1, and it works. but now my archer accepts only v1 stock firmware, but it works great with dd-wrt (using optware)
Thanks for your reply !
I have seen this discussion here before, for sure it is an alternative.
As long I am concerned there is a small hardware difference between versions, therefore I would try to flash a "correct" image and avoid future problems.
i have c9 v2, and i used files for v1, and it works. but now my archer accepts only v1 stock firmware, but it works great with dd-wrt (using optware)
Thanks for your reply !
I have seen this discussion here before, for sure it is an alternative.
As long I am concerned there is a small hardware difference between versions, therefore I would try to flash a "correct" image and avoid future problems.
Finally I got my serial-usb converter and could troubleshooting the endless loop on my router.
Simply the r29621 kernel was crashing without finish the boot. It also overwritten the product-info partition, so could not have the stock firmware back by recovery mode.
The solution was to flash the image provided by @chrisdmc for C9 V1 by serial port, once @iskar tried sucessfull in advace.
After that all, I tried again to flash r29621 and it finish the same way (endless boot loop and product-info overwritten) seems to me r29621 is a bad choice !!!
PS.: My router now is a V2 but only accept V1 firmware !!!
Posted: Fri May 27, 2016 5:37 Post subject: Re: Archer C9 Revert to Stock
pepperoni wrote:
a1smith wrote:
chrisdmc wrote:
Latest DD-WRT firmware (01/25/2016) no longer overwrites TP-Link partitions, try first to revert to stock using TFTP method!
EDIT: The image is only for Archer c9 v1.
For Archer C9 I have modified 12.bin image from @Heinzek to make it flash from DD-WRT web interface.
WARNING: Wait until somebody that have open the router case and has UART, have flash it and confirms that it works! Otherwise you could end-up with a bricked router.
WARNING: The image will overwrite default MAC and Pin on your router, to restore them you will have to modify the image in same way I have posted instructions for Costco US Archer C1900 (black case) or in the worst case flash the 'default-mac' and 'pin' partitions from CFE with correct data.
To validate the image works as expected:
1. Extract ddwrt-to-factory.bin from the attached zip and flash it from DD-WRT web interface as you would normally flash a DD-WRT update image (webflash.bin). Wait until DD-WRT reboots the router.
2. After DD-WRT reboots the router, do a hard-reset by pressing the reset button for around 30secs or until all the lights turn on.
3. Once in TP-Link web interface, flash the router with an official firmware. It should work.
4. Try to flash the official firmware by using TFTP (instructions by @Heinzek - page 2).
I successfully flashed my TP-Link Archer C9 v1 back to stock firmware using your file. I updated the MAC, PIN, and CRC in the file. Here are a few comments to help out others.
The router MAC and PIN in the file are the original Heinzek values, not the values you mention in the C1900 post. I'm listing the values in the file to prevent confusion and so people can confirm they are updating the correct locations.
Router MAC: 14 CC 20 D1 DC AA
WPA key/WPS pin: 79342513 (37 39 33 34 32 35 31 33 in hex)
The CRC value in the file is 0D 28 7D 83.
Here is my router flash history. I did a factory reset using GUI before flashing to DD-WRT.
1. Original TP-Link Firmware (firmware version 3.17.0, build 20150514, release 70681n)
2. reset to factory defaults via GUI
3. DD-WRT 12-24-2015-r28598
4. DD-WRT 02-01-2016-r29002
5. DD-WRT 12-24-2015-r28598
6. reset to factory defaults via GUI
7. revert to stock firmware via DD-WRT GUI (firmware version 3.16.28, build 20141112, release 46311n)
8. flash to latest TP-Link firmware via GUI (firmware version 3.17.0, build 20150514, release 70681n)
Some other details:
- I never turned on jffs2 so I didn't clear any nvram this way.
- I never used 'erase nvram' command.
- From telnet, dmesg command after DD-WRT boot was showing 'Northstar Prototype' as hardware. This was probably due to DD-WRT firmware before 1/25/16 overwriting product info.
- I didn't confirm TFTP flash works (step 4 above) but the other two flashes worked without any problems.
Must be doing something wrong !!
1. Started with stock Archer C9_V1_150916
2. Reset to factory defaults via GUI
3. DD-WRT 03-25-2016 -r29546
4. DD-WRT 03-28-2016 -r29362
5. DD-WRT 04-05-2016 -r29409
6. Reset to factory defaults via GUI
7. Extracted the ddwrt-to-factory.bin file from the zip and changed the MAC, PIN & CRC as directed.
8. Flashed it (ddwrt-to-factory.bin) from DD-WRT web interface as you would normally flash a DD-WRT update image.
9. After DD-WRT reboots the router, did a hard-reset by pressing the reset button for around 30 secs or until all the lights turn on.
10. It's still shows DD-WRT, but I flash the original Archer C9_V1_150916 from GUI.
11. The flash says it's successfully, but comes back up to DD-WRT 04-05-2016 -r29409.
12. Here's where you tell me what I'm doing wrong !
Thanks guys !
Same problem here.
I was running DD-WRT v3.0-r29387(03/31/16) and downloaded the ddwrt-to-factory.bin file as provided in this thread, changed the MAC, wireless pin and CRC in the image.
Tried to upgrade and it's successful but after rebooting, DD-WRT is still present. I have tried 3 different browsers including having cleared the cache - no difference.
As for the CRC change, I could not get CRC32.exe to run on Windows 10 (the program closes a split-second after I open it)? So I used a CRC generator website instead and used that to get a CRC which I then injected into the image using a hex editor. Is this incorrect because CRC32.exe is supposed to inject the new CRC code into the image itself?
Posted: Sat May 28, 2016 16:12 Post subject: Re: TP-Link Archer C9 Brick Fix (Revert To Stock Possibly)
Hi, I need some help trying to get my Archer C9 v1 working again.
My router was running the TP-LINK Archer_C9_V1_150507 firmware. I upgraded the firmware to the latest one, Archer C9_V1_150916 from the web admin page. From there I upgraded the firmware to factory-to-ddwrt.bin v29739 downloaded from http://www.dd-wrt.com/site/support/other-downloads?path=betas%2F2016%2F05-19-2016-r29739%2Ftplink_archer-c9v1%2F
Everything seems normal. Router says flash was successful and then the router rebooted. Now the router seem stuck on a reboot loop. All the lights turns on for 4 seconds and turns off. 12 seconds later all the lights turns on again for 4 seconds and turns off again. It repeats this over and over again. I tried TFTP with several different bin but none works. What can I do to fix it?
The TFTP steps I tried. [steps from="Aboshi"]
1. Downloaded firmware. I tried the three different tp-link official firmwares, Heinz oldorgArcherC9v1_tp_recovery.zip, factory-to-ddwrt.bin, and archer-c9v1-webflash.bin.
2. Rename the Firmware to archerc9v1_tp_recovery.bin
3. Set pc ethernet address to 192.168.0.66 subnet 255.255.255.0
4. Set TFPT dir to the downoaded firmware.
5. Unplug your router, than hold the reset button on the back and plug the router back in. Hold the reset button for 4 seconds than let it go.
6. Waited 2 minutes to allow router to configure the firmware.
The TFTP transferred each file to the router successfully each time.
I repeated the above steps for each firmware but it is stuck in the reboot loop each time.
Last edited by joeyluu on Mon May 30, 2016 1:22; edited 2 times in total
